{
"statistics": {
"processing": [
{
"name": "CAPE",
"time": 3.642
},
{
"name": "AnalysisInfo",
"time": 0.021
},
{
"name": "BehaviorAnalysis",
"time": 0.063
},
{
"name": "Debug",
"time": 0.002
},
{
"name": "NetworkAnalysis",
"time": 0.019
},
{
"name": "UrlAnalysis",
"time": 0.0
},
{
"name": "script_log_processing",
"time": 0.0
},
{
"name": "ProcessMemory",
"time": 0.0
}
],
"signatures": [
{
"name": "packer_themida",
"time": 0.0
},
{
"name": "stealth_network",
"time": 0.0
},
{
"name": "disable_driver_via_blocklist",
"time": 0.0
},
{
"name": "disable_driver_via_hvcidisallowedimages",
"time": 0.0
},
{
"name": "disable_hypervisor_protected_code_integrity",
"time": 0.0
},
{
"name": "pendingfilerenameoperations_Operations",
"time": 0.0
},
{
"name": "anomalous_deletefile",
"time": 0.0
},
{
"name": "antiav_360_libs",
"time": 0.0
},
{
"name": "antiav_ahnlab_libs",
"time": 0.0
},
{
"name": "antiav_avast_libs",
"time": 0.0
},
{
"name": "antiav_bitdefender_libs",
"time": 0.0
},
{
"name": "antiav_bullguard_libs",
"time": 0.0
},
{
"name": "antiav_emsisoft_libs",
"time": 0.0
},
{
"name": "antiav_qurb_libs",
"time": 0.0
},
{
"name": "antiav_servicestop",
"time": 0.0
},
{
"name": "antiav_apioverride_libs",
"time": 0.0
},
{
"name": "antidebug_guardpages",
"time": 0.0
},
{
"name": "antiav_nthookengine_libs",
"time": 0.0
},
{
"name": "antidebug_outputdebugstring",
"time": 0.0
},
{
"name": "antidebug_windows",
"time": 0.0
},
{
"name": "antisandbox_cuckoo",
"time": 0.0
},
{
"name": "antisandbox_cuckoocrash",
"time": 0.0
},
{
"name": "antisandbox_foregroundwindows",
"time": 0.0
},
{
"name": "mouse_movement_detect",
"time": 0.0
},
{
"name": "antisandbox_sboxie_libs",
"time": 0.0
},
{
"name": "antisandbox_script_timer",
"time": 0.0
},
{
"name": "antisandbox_sleep",
"time": 0.0
},
{
"name": "antisandbox_sunbelt_libs",
"time": 0.0
},
{
"name": "antisandbox_unhook",
"time": 0.0
},
{
"name": "antivm_directory_objects",
"time": 0.0
},
{
"name": "antivm_display",
"time": 0.0
},
{
"name": "antivm_generic_disk",
"time": 0.0
},
{
"name": "antivm_generic_system",
"time": 0.0
},
{
"name": "antivm_checks_available_memory",
"time": 0.0
},
{
"name": "antivm_network_adapters",
"time": 0.0
},
{
"name": "detect_virtualization_via_recent_files",
"time": 0.0
},
{
"name": "antivm_vbox_libs",
"time": 0.0
},
{
"name": "antivm_vmware_events",
"time": 0.0
},
{
"name": "antivm_vmware_libs",
"time": 0.0
},
{
"name": "antivm_wmi",
"time": 0.0
},
{
"name": "api_spamming",
"time": 0.0
},
{
"name": "api_uuidfromstringa",
"time": 0.0
},
{
"name": "bcdedit_command",
"time": 0.0
},
{
"name": "bootkit",
"time": 0.0
},
{
"name": "direct_hdd_access",
"time": 0.0
},
{
"name": "physical_drive_access",
"time": 0.0
},
{
"name": "potential_overwrite_mbr",
"time": 0.0
},
{
"name": "read_file_raw_disk_access",
"time": 0.0
},
{
"name": "suspicious_iocontrol_codes",
"time": 0.0
},
{
"name": "browser_needed",
"time": 0.0
},
{
"name": "regsvr32_squiblydoo_dll_load",
"time": 0.0
},
{
"name": "uac_bypass_cmstp",
"time": 0.0
},
{
"name": "uac_bypass_eventvwr",
"time": 0.0
},
{
"name": "uac_bypass_windows_Backup",
"time": 0.0
},
{
"name": "dotnet_code_compile",
"time": 0.0
},
{
"name": "queries_computer_name",
"time": 0.0
},
{
"name": "queries_user_name",
"time": 0.0
},
{
"name": "creates_largekey",
"time": 0.0
},
{
"name": "creates_nullvalue",
"time": 0.0
},
{
"name": "access_windows_passwords_vault",
"time": 0.0
},
{
"name": "dump_lsa_via_windows_error_reporting",
"time": 0.0
},
{
"name": "lsass_credential_dumping",
"time": 0.0
},
{
"name": "critical_process",
"time": 0.0
},
{
"name": "cryptopool_domains",
"time": 0.0
},
{
"name": "dead_connect",
"time": 0.0
},
{
"name": "dead_link",
"time": 0.0
},
{
"name": "decoy_document",
"time": 0.0
},
{
"name": "decoy_image",
"time": 0.0
},
{
"name": "deletes_consolehost_history",
"time": 0.0
},
{
"name": "deletes_shadow_copies",
"time": 0.0
},
{
"name": "deletes_system_state_backup",
"time": 0.0
},
{
"name": "dep_bypass",
"time": 0.0
},
{
"name": "dep_disable",
"time": 0.0
},
{
"name": "disables_mappeddrives_autodisconnect",
"time": 0.0
},
{
"name": "disables_wfp",
"time": 0.0
},
{
"name": "add_windows_defender_exclusions",
"time": 0.0
},
{
"name": "mountpoints_volume_discovery",
"time": 0.0
},
{
"name": "dll_load_uncommon_file_types",
"time": 0.0
},
{
"name": "document_script_exe_drop",
"time": 0.0
},
{
"name": "guloader_apis",
"time": 0.0
},
{
"name": "driver_load",
"time": 0.0
},
{
"name": "dynamic_function_loading",
"time": 0.0
},
{
"name": "encrypted_ioc",
"time": 0.0
},
{
"name": "exec_crash",
"time": 0.0
},
{
"name": "process_creation_suspicious_location",
"time": 0.0
},
{
"name": "exploit_getbasekerneladdress",
"time": 0.0
},
{
"name": "exploit_gethaldispatchtable",
"time": 0.0
},
{
"name": "exploit_heapspray",
"time": 0.0
},
{
"name": "koadic_apis",
"time": 0.0
},
{
"name": "koadic_network_activity",
"time": 0.0
},
{
"name": "downloads_from_filehosting",
"time": 0.0
},
{
"name": "generic_phish",
"time": 0.0
},
{
"name": "http_request",
"time": 0.0
},
{
"name": "infostealer_browser",
"time": 0.0
},
{
"name": "infostealer_browser_password",
"time": 0.0
},
{
"name": "infostealer_cookies",
"time": 0.0
},
{
"name": "cryptbot_network",
"time": 0.0
},
{
"name": "masslogger_artifacts",
"time": 0.0
},
{
"name": "purplewave_network_activity",
"time": 0.0
},
{
"name": "quilclipper_behavior",
"time": 0.0
},
{
"name": "raccoon_behavior",
"time": 0.0
},
{
"name": "captures_screenshot",
"time": 0.0
},
{
"name": "vidar_behavior",
"time": 0.0
},
{
"name": "injection_createremotethread",
"time": 0.0
},
{
"name": "creates_suspended_process",
"time": 0.0
},
{
"name": "injection_explorer",
"time": 0.0
},
{
"name": "injection_needextension",
"time": 0.0
},
{
"name": "injection_network_traffic",
"time": 0.0
},
{
"name": "injection_runpe",
"time": 0.0
},
{
"name": "injection_rwx",
"time": 0.0
},
{
"name": "injection_themeinitapihook",
"time": 0.0
},
{
"name": "resumethread_remote_process",
"time": 0.0
},
{
"name": "injection_write_exe_process",
"time": 0.0
},
{
"name": "injection_write_process",
"time": 0.0
},
{
"name": "internet_dropper",
"time": 0.0
},
{
"name": "escalate_privilege_via_named_pipe",
"time": 0.0
},
{
"name": "ipc_namedpipe",
"time": 0.0
},
{
"name": "js_phish",
"time": 0.0
},
{
"name": "js_suspicious_redirect",
"time": 0.0
},
{
"name": "loader_alien",
"time": 0.0
},
{
"name": "execute_binary_via_internet_explorer_exporter",
"time": 0.0
},
{
"name": "execute_binary_via_run_exe_helper_utility",
"time": 0.0
},
{
"name": "execute_ps_via_syncappvpublishingserver",
"time": 0.0
},
{
"name": "malicious_dynamic_function_loading",
"time": 0.0
},
{
"name": "encrypt_pcinfo",
"time": 0.0
},
{
"name": "encrypt_data_agenttesla_http",
"time": 0.0
},
{
"name": "encrypt_data_agentteslat2_http",
"time": 0.0
},
{
"name": "encrypt_data_nanocore",
"time": 0.0
},
{
"name": "reads_memory_remote_process",
"time": 0.0
},
{
"name": "mimics_filetime",
"time": 0.0
},
{
"name": "amsi_bypass_via_com_registry",
"time": 0.0
},
{
"name": "access_auto_logons_via_registry",
"time": 0.0
},
{
"name": "access_boot_key_via_registry",
"time": 0.0
},
{
"name": "create_suspicious_lnk_files",
"time": 0.0
},
{
"name": "credential_access_via_windows_credential_history",
"time": 0.0
},
{
"name": "dll_hijacking_via_microsoft_exchange",
"time": 0.0
},
{
"name": "dll_hijacking_via_waas_medic_svc_com_typelib",
"time": 0.0
},
{
"name": "execute_file_downloaded_via_openssh",
"time": 0.0
},
{
"name": "execute_safe_mode_from_suspicious_process",
"time": 0.0
},
{
"name": "execute_scripts_via_microsoft_management_console",
"time": 0.0
},
{
"name": "execute_suspicious_processes_via_windows_mssql_service",
"time": 0.0
},
{
"name": "execution_from_self_extracting_archive",
"time": 0.0
},
{
"name": "ip_address_discovery_via_trusted_program",
"time": 0.0
},
{
"name": "load_dll_via_control_panel",
"time": 0.0
},
{
"name": "network_connection_via_suspicious_process",
"time": 0.0
},
{
"name": "potential_location_discovery_via_unusual_process",
"time": 0.0
},
{
"name": "store_executable_registry",
"time": 0.0
},
{
"name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent",
"time": 0.0
},
{
"name": "suspicious_java_execution_via_win_scripts",
"time": 0.0
},
{
"name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File",
"time": 0.0
},
{
"name": "uses_restart_manager_for_suspicious_activities",
"time": 0.0
},
{
"name": "modify_desktop_wallpaper",
"time": 0.0
},
{
"name": "modify_zoneid_ads",
"time": 0.0
},
{
"name": "move_file_on_reboot",
"time": 0.0
},
{
"name": "multiple_useragents",
"time": 0.0
},
{
"name": "network_anomaly",
"time": 0.0
},
{
"name": "network_bind",
"time": 0.0
},
{
"name": "network_cnc_https_archive",
"time": 0.0
},
{
"name": "network_cnc_https_free_webhosting",
"time": 0.0
},
{
"name": "network_cnc_https_generic",
"time": 0.0
},
{
"name": "network_cnc_https_interactsh",
"time": 0.0
},
{
"name": "network_cnc_https_opensource",
"time": 0.0
},
{
"name": "network_cnc_https_pastesite",
"time": 0.0
},
{
"name": "network_cnc_https_payload",
"time": 0.0
},
{
"name": "network_cnc_https_serviceinterface",
"time": 0.0
},
{
"name": "network_cnc_https_socialmedia",
"time": 0.0
},
{
"name": "network_cnc_https_telegram",
"time": 0.0
},
{
"name": "network_cnc_https_tempstorage",
"time": 0.0
},
{
"name": "network_cnc_https_temp_urldns",
"time": 0.0
},
{
"name": "network_cnc_https_urlshortener",
"time": 0.0
},
{
"name": "network_cnc_https_useragent",
"time": 0.0
},
{
"name": "network_cnc_smtps_exfil",
"time": 0.0
},
{
"name": "network_cnc_smtps_generic",
"time": 0.0
},
{
"name": "network_dns_idn",
"time": 0.0
},
{
"name": "network_dns_suspicious_querytype",
"time": 0.0
},
{
"name": "network_dns_tunneling_request",
"time": 0.0
},
{
"name": "network_document_http",
"time": 0.0
},
{
"name": "explorer_http",
"time": 0.0
},
{
"name": "network_fake_useragent",
"time": 0.0
},
{
"name": "legitimate_domain_abuse",
"time": 0.0
},
{
"name": "suspicious_communication_trusted_site",
"time": 0.0
},
{
"name": "network_tor",
"time": 0.0
},
{
"name": "office_com_load",
"time": 0.0
},
{
"name": "office_dotnet_load",
"time": 0.0
},
{
"name": "office_mshtml_load",
"time": 0.0
},
{
"name": "office_vb_load",
"time": 0.0
},
{
"name": "office_wmi_load",
"time": 0.0
},
{
"name": "office_cve2017_11882",
"time": 0.0
},
{
"name": "office_cve2017_11882_network",
"time": 0.0
},
{
"name": "office_cve_2021_40444",
"time": 0.0
},
{
"name": "office_cve_2021_40444_m2",
"time": 0.0
},
{
"name": "office_flash_load",
"time": 0.0
},
{
"name": "office_postscript",
"time": 0.0
},
{
"name": "office_suspicious_processes",
"time": 0.0
},
{
"name": "office_write_exe",
"time": 0.0
},
{
"name": "persistence_via_autodial_dll_registry",
"time": 0.0
},
{
"name": "persistence_autorun",
"time": 0.0
},
{
"name": "persistence_autorun_tasks",
"time": 0.0
},
{
"name": "persistence_bootexecute",
"time": 0.0
},
{
"name": "persistence_registry_script",
"time": 0.0
},
{
"name": "powershell_network_connection",
"time": 0.0
},
{
"name": "powershell_download",
"time": 0.0
},
{
"name": "powershell_request",
"time": 0.0
},
{
"name": "createtoolhelp32snapshot_module_enumeration",
"time": 0.0
},
{
"name": "enumerates_running_processes",
"time": 0.0
},
{
"name": "process_interest",
"time": 0.0
},
{
"name": "process_needed",
"time": 0.0
},
{
"name": "mass_data_encryption",
"time": 0.0
},
{
"name": "ransomware_file_modifications",
"time": 0.0
},
{
"name": "ransomware_message",
"time": 0.0
},
{
"name": "nemty_network_activity",
"time": 0.0
},
{
"name": "nemty_note",
"time": 0.0
},
{
"name": "sodinokibi_behavior",
"time": 0.0
},
{
"name": "stop_ransomware_registry",
"time": 0.0
},
{
"name": "blackrat_apis",
"time": 0.0
},
{
"name": "blackrat_network_activity",
"time": 0.0
},
{
"name": "blackrat_registry_keys",
"time": 0.0
},
{
"name": "dcrat_behavior",
"time": 0.0
},
{
"name": "karagany_system_event_objects",
"time": 0.0
},
{
"name": "rat_luminosity",
"time": 0.0
},
{
"name": "rat_nanocore",
"time": 0.0
},
{
"name": "netwire_behavior",
"time": 0.0
},
{
"name": "obliquerat_network_activity",
"time": 0.0
},
{
"name": "orcusrat_behavior",
"time": 0.0
},
{
"name": "trochilusrat_apis",
"time": 0.0
},
{
"name": "reads_self",
"time": 0.0
},
{
"name": "recon_beacon",
"time": 0.0
},
{
"name": "recon_programs",
"time": 0.0
},
{
"name": "recon_systeminfo",
"time": 0.0
},
{
"name": "accesses_recyclebin",
"time": 0.0
},
{
"name": "remcos_shell_code_dynamic_wrapper_x",
"time": 0.0
},
{
"name": "script_created_process",
"time": 0.0
},
{
"name": "script_network_activity",
"time": 0.0
},
{
"name": "suspicious_js_script",
"time": 0.0
},
{
"name": "javascript_timer",
"time": 0.0
},
{
"name": "secure_login_phishing",
"time": 0.0
},
{
"name": "securityxploded_modules",
"time": 0.0
},
{
"name": "get_clipboard_data",
"time": 0.0
},
{
"name": "sets_autoconfig_url",
"time": 0.0
},
{
"name": "spoofs_procname",
"time": 0.0
},
{
"name": "stack_pivot",
"time": 0.0
},
{
"name": "stack_pivot_file_created",
"time": 0.0
},
{
"name": "stack_pivot_process_create",
"time": 0.0
},
{
"name": "set_clipboard_data",
"time": 0.0
},
{
"name": "stealth_childproc",
"time": 0.0
},
{
"name": "stealth_file",
"time": 0.0
},
{
"name": "stealth_timeout",
"time": 0.0
},
{
"name": "stealth_window",
"time": 0.0
},
{
"name": "queries_keyboard_layout",
"time": 0.0
},
{
"name": "queries_locale_api",
"time": 0.0
},
{
"name": "terminates_remote_process",
"time": 0.0
},
{
"name": "uiautomationcore_load",
"time": 0.0
},
{
"name": "user_enum",
"time": 0.0
},
{
"name": "mmc_dll_script_load",
"time": 0.0
},
{
"name": "mmc_dotnet_load",
"time": 0.0
},
{
"name": "virus",
"time": 0.0
},
{
"name": "neshta_files",
"time": 0.0
},
{
"name": "neshta_regkeys",
"time": 0.0
},
{
"name": "webmail_phish",
"time": 0.0
},
{
"name": "persists_dev_util",
"time": 0.0
},
{
"name": "spawns_dev_util",
"time": 0.0
},
{
"name": "alters_windows_utility",
"time": 0.0
},
{
"name": "overwrites_accessibility_utility",
"time": 0.0
},
{
"name": "Potential_Lateral_Movement_Via_SMBEXEC",
"time": 0.0
},
{
"name": "potential_WebShell_Via_ScreenConnectServer",
"time": 0.0
},
{
"name": "uses_Microsoft_HTML_Help_Executable",
"time": 0.0
},
{
"name": "wiper_zeroedbytes",
"time": 0.0
},
{
"name": "wmi_create_process",
"time": 0.0
},
{
"name": "wmi_script_process",
"time": 0.0
},
{
"name": "antianalysis_tls_section",
"time": 0.0
},
{
"name": "antivirus_clamav",
"time": 0.0
},
{
"name": "antivirus_virustotal",
"time": 0.0
},
{
"name": "bad_certs",
"time": 0.0
},
{
"name": "bad_ssl_certs",
"time": 0.0
},
{
"name": "banker_zeus_p2p",
"time": 0.0
},
{
"name": "banker_zeus_url",
"time": 0.0
},
{
"name": "binary_yara",
"time": 0.0
},
{
"name": "bot_athenahttp",
"time": 0.0
},
{
"name": "bot_dirtjumper",
"time": 0.0
},
{
"name": "bot_drive",
"time": 0.0
},
{
"name": "bot_drive2",
"time": 0.0
},
{
"name": "bot_madness",
"time": 0.0
},
{
"name": "phishing_kit_detected",
"time": 0.0
},
{
"name": "family_proxyback",
"time": 0.0
},
{
"name": "flare_capa_antianalysis",
"time": 0.0
},
{
"name": "flare_capa_collection",
"time": 0.0
},
{
"name": "flare_capa_communication",
"time": 0.0
},
{
"name": "flare_capa_compiler",
"time": 0.0
},
{
"name": "flare_capa_datamanipulation",
"time": 0.0
},
{
"name": "flare_capa_executable",
"time": 0.0
},
{
"name": "flare_capa_hostinteraction",
"time": 0.0
},
{
"name": "flare_capa_impact",
"time": 0.0
},
{
"name": "flare_capa_lib",
"time": 0.0
},
{
"name": "flare_capa_linking",
"time": 0.0
},
{
"name": "flare_capa_loadcode",
"time": 0.0
},
{
"name": "flare_capa_malwarefamily",
"time": 0.0
},
{
"name": "flare_capa_nursery",
"time": 0.0
},
{
"name": "flare_capa_persistence",
"time": 0.0
},
{
"name": "flare_capa_runtime",
"time": 0.0
},
{
"name": "flare_capa_targeting",
"time": 0.0
},
{
"name": "threatfox",
"time": 0.0
},
{
"name": "log4shell",
"time": 0.0
},
{
"name": "mimics_extension",
"time": 0.0
},
{
"name": "network_country_distribution",
"time": 0.0
},
{
"name": "network_cnc_http",
"time": 0.0
},
{
"name": "network_ip_exe",
"time": 0.0
},
{
"name": "network_dga",
"time": 0.0
},
{
"name": "network_dga_fraunhofer",
"time": 0.0
},
{
"name": "network_dyndns",
"time": 0.0
},
{
"name": "network_excessive_udp",
"time": 0.0
},
{
"name": "network_http",
"time": 0.0
},
{
"name": "network_icmp",
"time": 0.0
},
{
"name": "network_irc",
"time": 0.0
},
{
"name": "network_open_proxy",
"time": 0.0
},
{
"name": "network_questionable_http_path",
"time": 0.0
},
{
"name": "network_questionable_https_path",
"time": 0.0
},
{
"name": "network_smtp",
"time": 0.0
},
{
"name": "network_torgateway",
"time": 0.0
},
{
"name": "origin_langid",
"time": 0.0
},
{
"name": "origin_resource_langid",
"time": 0.0
},
{
"name": "overlay",
"time": 0.0
},
{
"name": "packer_unknown_pe_section_name",
"time": 0.0
},
{
"name": "packer_aspack",
"time": 0.0
},
{
"name": "packer_aspirecrypt",
"time": 0.0
},
{
"name": "packer_bedsprotector",
"time": 0.0
},
{
"name": "packer_confuser",
"time": 0.0
},
{
"name": "packer_enigma",
"time": 0.0
},
{
"name": "packer_entropy",
"time": 0.0
},
{
"name": "packer_mpress",
"time": 0.0
},
{
"name": "packer_nate",
"time": 0.0
},
{
"name": "packer_nspack",
"time": 0.0
},
{
"name": "packer_smartassembly",
"time": 0.0
},
{
"name": "packer_spices",
"time": 0.0
},
{
"name": "packer_themida",
"time": 0.0
},
{
"name": "packer_titan",
"time": 0.0
},
{
"name": "packer_upx",
"time": 0.0
},
{
"name": "packer_vmprotect",
"time": 0.0
},
{
"name": "packer_yoda",
"time": 0.0
},
{
"name": "pdf_annot_urls_checker",
"time": 0.0
},
{
"name": "polymorphic",
"time": 0.0
},
{
"name": "punch_plus_plus_pcres",
"time": 0.0
},
{
"name": "procmem_yara",
"time": 0.0
},
{
"name": "recon_checkip",
"time": 0.0
},
{
"name": "sigma_events",
"time": 0.0
},
{
"name": "static_authenticode",
"time": 0.0
},
{
"name": "invalid_authenticode_signature",
"time": 0.0
},
{
"name": "static_dotnet_anomaly",
"time": 0.0
},
{
"name": "static_java",
"time": 0.0
},
{
"name": "static_pdf",
"time": 0.0
},
{
"name": "contains_pe_overlay",
"time": 0.0
},
{
"name": "static_pe_anomaly",
"time": 0.0
},
{
"name": "pe_compile_timestomping",
"time": 0.0
},
{
"name": "static_pe_pdbpath",
"time": 0.0
},
{
"name": "static_rat_config",
"time": 0.0
},
{
"name": "static_versioninfo_anomaly",
"time": 0.0
},
{
"name": "suricata_alert",
"time": 0.0
},
{
"name": "suspicious_html_body",
"time": 0.0
},
{
"name": "suspicious_html_name",
"time": 0.0
},
{
"name": "suspicious_html_title",
"time": 0.0
},
{
"name": "volatility_devicetree_1",
"time": 0.0
},
{
"name": "volatility_handles_1",
"time": 0.0
},
{
"name": "volatility_ldrmodules_1",
"time": 0.0
},
{
"name": "volatility_ldrmodules_2",
"time": 0.0
},
{
"name": "volatility_malfind_1",
"time": 0.0
},
{
"name": "volatility_malfind_2",
"time": 0.0
},
{
"name": "volatility_modscan_1",
"time": 0.0
},
{
"name": "volatility_svcscan_1",
"time": 0.0
},
{
"name": "volatility_svcscan_2",
"time": 0.0
},
{
"name": "volatility_svcscan_3",
"time": 0.0
},
{
"name": "whois_create",
"time": 0.0
},
{
"name": "accesses_mailslot",
"time": 0.0
},
{
"name": "accesses_netlogon_regkey",
"time": 0.0
},
{
"name": "accesses_public_folder",
"time": 0.0
},
{
"name": "accesses_sysvol",
"time": 0.0
},
{
"name": "writes_sysvol",
"time": 0.0
},
{
"name": "adds_admin_user",
"time": 0.0
},
{
"name": "adds_user",
"time": 0.0
},
{
"name": "overwrites_admin_password",
"time": 0.0
},
{
"name": "antianalysis_detectfile",
"time": 0.002
},
{
"name": "antianalysis_detectreg",
"time": 0.003
},
{
"name": "modify_attachment_manager",
"time": 0.0
},
{
"name": "antiav_detectfile",
"time": 0.004
},
{
"name": "antiav_detectreg",
"time": 0.013
},
{
"name": "antiav_srp",
"time": 0.0
},
{
"name": "antiav_whitespace",
"time": 0.0
},
{
"name": "antidebug_devices",
"time": 0.001
},
{
"name": "antiemu_windefend",
"time": 0.0
},
{
"name": "antiemu_wine_reg",
"time": 0.0
},
{
"name": "antisandbox_cuckoo_files",
"time": 0.0
},
{
"name": "antisandbox_fortinet_files",
"time": 0.0
},
{
"name": "antisandbox_joe_anubis_files",
"time": 0.0
},
{
"name": "antisandbox_sboxie_mutex",
"time": 0.0
},
{
"name": "antisandbox_sunbelt_files",
"time": 0.0
},
{
"name": "antisandbox_threattrack_files",
"time": 0.0
},
{
"name": "antivm_bochs_keys",
"time": 0.0
},
{
"name": "antivm_generic_bios",
"time": 0.0
},
{
"name": "antivm_generic_diskreg",
"time": 0.001
},
{
"name": "antivm_hyperv_keys",
"time": 0.0
},
{
"name": "antivm_parallels_keys",
"time": 0.001
},
{
"name": "antivm_recentdocs",
"time": 0.0
},
{
"name": "antivm_vbox_devices",
"time": 0.0
},
{
"name": "antivm_vbox_files",
"time": 0.002
},
{
"name": "antivm_vbox_keys",
"time": 0.002
},
{
"name": "antivm_vmware_devices",
"time": 0.0
},
{
"name": "antivm_vmware_files",
"time": 0.001
},
{
"name": "antivm_vmware_keys",
"time": 0.001
},
{
"name": "antivm_vmware_mutexes",
"time": 0.0
},
{
"name": "antivm_vpc_files",
"time": 0.0
},
{
"name": "antivm_vpc_keys",
"time": 0.001
},
{
"name": "antivm_vpc_mutex",
"time": 0.0
},
{
"name": "antivm_xen_keys",
"time": 0.001
},
{
"name": "asyncrat_mutex",
"time": 0.0
},
{
"name": "gulpix_behavior",
"time": 0.0
},
{
"name": "ketrican_regkeys",
"time": 0.0
},
{
"name": "okrum_mutexes",
"time": 0.0
},
{
"name": "banker_cridex",
"time": 0.0
},
{
"name": "geodo_banking_trojan",
"time": 0.001
},
{
"name": "banker_spyeye_mutexes",
"time": 0.0
},
{
"name": "banker_zeus_mutex",
"time": 0.0
},
{
"name": "bitcoin_opencl",
"time": 0.0
},
{
"name": "enumerates_physical_drives",
"time": 0.0
},
{
"name": "bot_russkill",
"time": 0.0
},
{
"name": "browser_addon",
"time": 0.0
},
{
"name": "chromium_browser_extension_directory",
"time": 0.0
},
{
"name": "browser_helper_object",
"time": 0.0
},
{
"name": "browser_security",
"time": 0.001
},
{
"name": "browser_startpage",
"time": 0.0
},
{
"name": "ie_disables_process_tab",
"time": 0.0
},
{
"name": "odbcconf_bypass",
"time": 0.0
},
{
"name": "squiblydoo_bypass",
"time": 0.0
},
{
"name": "squiblytwo_bypass",
"time": 0.0
},
{
"name": "bypass_chromium_protection",
"time": 0.0
},
{
"name": "bypass_firewall",
"time": 0.0
},
{
"name": "checks_uac_status",
"time": 0.0
},
{
"name": "uac_bypass_cmstpcom",
"time": 0.0
},
{
"name": "uac_bypass_delegateexecute_sdclt",
"time": 0.0
},
{
"name": "uac_bypass_fodhelper",
"time": 0.0
},
{
"name": "cape_extracted_content",
"time": 0.0
},
{
"name": "carberp_mutex",
"time": 0.0
},
{
"name": "clears_logs",
"time": 0.0
},
{
"name": "cmdline_obfuscation",
"time": 0.0
},
{
"name": "cmdline_switches",
"time": 0.0
},
{
"name": "cmdline_terminate",
"time": 0.0
},
{
"name": "cmdline_forfiles_wildcard",
"time": 0.0
},
{
"name": "cmdline_http_link",
"time": 0.0
},
{
"name": "cmdline_long_string",
"time": 0.0
},
{
"name": "cmdline_reversed_http_link",
"time": 0.0
},
{
"name": "long_commandline",
"time": 0.0
},
{
"name": "powershell_renamed_commandline",
"time": 0.0
},
{
"name": "copies_self",
"time": 0.0
},
{
"name": "credwiz_credentialaccess",
"time": 0.0
},
{
"name": "enables_wdigest",
"time": 0.0
},
{
"name": "vaultcmd_credentialaccess",
"time": 0.0
},
{
"name": "file_credential_store_access",
"time": 0.0
},
{
"name": "file_credential_store_write",
"time": 0.0
},
{
"name": "kerberos_credential_access_via_rubeus",
"time": 0.0
},
{
"name": "registry_credential_dumping",
"time": 0.0
},
{
"name": "registry_credential_store_access",
"time": 0.0
},
{
"name": "registry_lsa_secrets_access",
"time": 0.0
},
{
"name": "comsvcs_credentialdump",
"time": 0.0
},
{
"name": "cryptomining_stratum_command",
"time": 0.0
},
{
"name": "cypherit_mutexes",
"time": 0.0
},
{
"name": "darkcomet_regkeys",
"time": 0.0
},
{
"name": "datop_loader",
"time": 0.0
},
{
"name": "deepfreeze_mutex",
"time": 0.0
},
{
"name": "deletes_executed_files",
"time": 0.0
},
{
"name": "disables_app_launch",
"time": 0.0
},
{
"name": "disables_auto_app_termination",
"time": 0.0
},
{
"name": "disables_appv_virtualization",
"time": 0.0
},
{
"name": "disables_backups",
"time": 0.001
},
{
"name": "disables_browser_warn",
"time": 0.001
},
{
"name": "disables_context_menus",
"time": 0.0
},
{
"name": "disables_cpl_disable",
"time": 0.0
},
{
"name": "disables_crashdumps",
"time": 0.0
},
{
"name": "disables_event_logging",
"time": 0.0
},
{
"name": "disables_folder_options",
"time": 0.0
},
{
"name": "disables_notificationcenter",
"time": 0.0
},
{
"name": "disables_power_options",
"time": 0.001
},
{
"name": "disables_restore_default_state",
"time": 0.0
},
{
"name": "disables_run_command",
"time": 0.0
},
{
"name": "disables_smartscreen",
"time": 0.0
},
{
"name": "disables_startmenu_search",
"time": 0.0
},
{
"name": "disables_system_restore",
"time": 0.0
},
{
"name": "disables_uac",
"time": 0.0
},
{
"name": "disables_wer",
"time": 0.0
},
{
"name": "disables_windows_defender",
"time": 0.0
},
{
"name": "disables_windows_defender_logging",
"time": 0.0
},
{
"name": "removes_windows_defender_contextmenu",
"time": 0.0
},
{
"name": "removes_windows_defender_updates",
"time": 0.0
},
{
"name": "windows_defender_powershell",
"time": 0.0
},
{
"name": "disables_windows_file_protection",
"time": 0.0
},
{
"name": "disables_windowsupdate",
"time": 0.0
},
{
"name": "disables_winfirewall",
"time": 0.0
},
{
"name": "discover_registry_mount_points",
"time": 0.0
},
{
"name": "adfind_domain_enumeration",
"time": 0.0
},
{
"name": "domain_enumeration_commands",
"time": 0.0
},
{
"name": "andromut_mutexes",
"time": 0.0
},
{
"name": "downloader_cabby",
"time": 0.0
},
{
"name": "phorpiex_mutexes",
"time": 0.0
},
{
"name": "protonbot_mutexes",
"time": 0.0
},
{
"name": "driver_filtermanager",
"time": 0.0
},
{
"name": "dropper",
"time": 0.0
},
{
"name": "dll_archive_execution",
"time": 0.0
},
{
"name": "lnk_archive_execution",
"time": 0.0
},
{
"name": "script_archive_execution",
"time": 0.0
},
{
"name": "excel4_macro_urls",
"time": 0.0
},
{
"name": "escalate_privilege_via_ntlm_relay",
"time": 0.0
},
{
"name": "spooler_access",
"time": 0.0
},
{
"name": "spooler_svc_start",
"time": 0.0
},
{
"name": "mapped_drives_uac",
"time": 0.0
},
{
"name": "hides_recycle_bin_icon",
"time": 0.0
},
{
"name": "apocalypse_stealer_file_behavior",
"time": 0.0
},
{
"name": "arkei_files",
"time": 0.0
},
{
"name": "azorult_mutexes",
"time": 0.001
},
{
"name": "infostealer_bitcoin",
"time": 0.002
},
{
"name": "cryptbot_files",
"time": 0.0
},
{
"name": "echelon_files",
"time": 0.001
},
{
"name": "infostealer_ftp",
"time": 0.006
},
{
"name": "infostealer_im",
"time": 0.004
},
{
"name": "infostealer_mail",
"time": 0.002
},
{
"name": "masslogger_files",
"time": 0.0
},
{
"name": "poullight_files",
"time": 0.001
},
{
"name": "purplewave_mutexes",
"time": 0.0
},
{
"name": "quilclipper_mutexes",
"time": 0.0
},
{
"name": "qulab_files",
"time": 0.001
},
{
"name": "qulab_mutexes",
"time": 0.0
},
{
"name": "asyncrat_mutex",
"time": 0.0
},
{
"name": "Evade_Execution_Via_ASPNet_Compiler",
"time": 0.0
},
{
"name": "Evade_Execute_Via_DeviceCredentialDeployment",
"time": 0.0
},
{
"name": "Evade_Execution_Via_Filter_Manager_Control",
"time": 0.0
},
{
"name": "Evade_Execution_Via_Intel_GFXDownloadWrapper",
"time": 0.0
},
{
"name": "execute_binary_via_appvlp",
"time": 0.0
},
{
"name": "execute_binary_via_pcalua",
"time": 0.0
},
{
"name": "Execute_Binary_Via_OpenSSH",
"time": 0.0
},
{
"name": "execute_binary_via_pcalua",
"time": 0.0
},
{
"name": "Execute_Binary_Via_PesterPSModule",
"time": 0.0
},
{
"name": "Execute_Binary_Via_ScriptRunner",
"time": 0.0
},
{
"name": "execute_binary_via_ttdinject",
"time": 0.0
},
{
"name": "Execute_Binary_Via_VisualStudioLiveShare",
"time": 0.0
},
{
"name": "Execute_Msiexec_Via_Explorer",
"time": 0.0
},
{
"name": "execute_remote_msi",
"time": 0.0
},
{
"name": "execute_suspicious_powershell_via_runscripthelper",
"time": 0.0
},
{
"name": "execute_suspicious_powershell_via_sqlps",
"time": 0.0
},
{
"name": "Indirect_Command_Execution_Via_ConsoleWindowHost",
"time": 0.0
},
{
"name": "Perform_Malicious_Activities_Via_Headless_Browser",
"time": 0.0
},
{
"name": "Register_DLL_Via_CertOC",
"time": 0.0
},
{
"name": "Register_DLL_Via_MSIEXEC",
"time": 0.0
},
{
"name": "Register_DLL_Via_Odbcconf",
"time": 0.0
},
{
"name": "Scriptlet_Proxy_Execution_Via_Pubprn",
"time": 0.0
},
{
"name": "ie_martian_children",
"time": 0.0
},
{
"name": "office_martian_children",
"time": 0.0
},
{
"name": "mimics_icon",
"time": 0.0
},
{
"name": "masquerade_process_name",
"time": 0.002
},
{
"name": "mimikatz_modules",
"time": 0.0
},
{
"name": "ms_office_cmd_rce",
"time": 0.0
},
{
"name": "mount_copy_to_webdav_share",
"time": 0.0
},
{
"name": "potential_protocol_tunneling_via_legit_utilities",
"time": 0.0
},
{
"name": "potential_protocol_tunneling_via_qemu",
"time": 0.0
},
{
"name": "suspicious_execution_via_dotnet_remoting",
"time": 0.0
},
{
"name": "modify_certs",
"time": 0.0
},
{
"name": "dotnet_clr_usagelog_regkeys",
"time": 0.0
},
{
"name": "modify_hostfile",
"time": 0.0
},
{
"name": "modify_oem_information",
"time": 0.001
},
{
"name": "modify_security_center_warnings",
"time": 0.0
},
{
"name": "modify_uac_prompt",
"time": 0.0
},
{
"name": "network_dns_blockchain",
"time": 0.0
},
{
"name": "network_dns_opennic",
"time": 0.0
},
{
"name": "network_dns_paste_site",
"time": 0.0
},
{
"name": "network_dns_reverse_proxy",
"time": 0.0
},
{
"name": "network_dns_temp_file_storage",
"time": 0.0
},
{
"name": "network_dns_temp_urldns",
"time": 0.0
},
{
"name": "network_dns_url_shortener",
"time": 0.0
},
{
"name": "network_dns_doh_tls",
"time": 0.0
},
{
"name": "suspicious_tld",
"time": 0.0
},
{
"name": "network_tor_service",
"time": 0.0
},
{
"name": "office_code_page",
"time": 0.0
},
{
"name": "office_addinloading",
"time": 0.0
},
{
"name": "office_perfkey",
"time": 0.0
},
{
"name": "office_macro",
"time": 0.0
},
{
"name": "changes_trust_center_settings",
"time": 0.0
},
{
"name": "disables_vba_trust_access",
"time": 0.0
},
{
"name": "office_macro_autoexecution",
"time": 0.0
},
{
"name": "office_macro_ioc",
"time": 0.0
},
{
"name": "office_macro_malicious_prediction",
"time": 0.0
},
{
"name": "office_macro_suspicious",
"time": 0.0
},
{
"name": "rtf_aslr_bypass",
"time": 0.0
},
{
"name": "rtf_anomaly_characterset",
"time": 0.0
},
{
"name": "rtf_anomaly_version",
"time": 0.0
},
{
"name": "rtf_embedded_content",
"time": 0.0
},
{
"name": "rtf_embedded_office_file",
"time": 0.0
},
{
"name": "rtf_exploit_static",
"time": 0.0
},
{
"name": "office_security",
"time": 0.0
},
{
"name": "accesses_office_username",
"time": 0.0
},
{
"name": "office_anomalous_feature",
"time": 0.0
},
{
"name": "office_dde_command",
"time": 0.0
},
{
"name": "packer_armadillo_mutex",
"time": 0.0
},
{
"name": "packer_armadillo_regkey",
"time": 0.0
},
{
"name": "persistence_ads",
"time": 0.0
},
{
"name": "persistence_safeboot",
"time": 0.0
},
{
"name": "persistence_ifeo",
"time": 0.0
},
{
"name": "persistence_silent_process_exit",
"time": 0.0
},
{
"name": "persistence_rdp_registry",
"time": 0.0
},
{
"name": "persistence_rdp_shadowing",
"time": 0.0
},
{
"name": "persistence_service",
"time": 0.0
},
{
"name": "persistence_shim_database",
"time": 0.0
},
{
"name": "powerpool_mutexes",
"time": 0.0
},
{
"name": "powershell_scriptblock_logging",
"time": 0.0
},
{
"name": "powershell_command_suspicious",
"time": 0.0
},
{
"name": "powershell_history_save_mod",
"time": 0.0
},
{
"name": "powershell_renamed",
"time": 0.0
},
{
"name": "powershell_reversed",
"time": 0.0
},
{
"name": "powershell_variable_obfuscation",
"time": 0.0
},
{
"name": "prevents_safeboot",
"time": 0.0
},
{
"name": "cmdline_process_discovery",
"time": 0.0
},
{
"name": "cryptomix_mutexes",
"time": 0.0
},
{
"name": "dharma_mutexes",
"time": 0.0
},
{
"name": "ransomware_extensions_generic",
"time": 0.0
},
{
"name": "ransomware_extensions_known",
"time": 0.008
},
{
"name": "ransomware_files",
"time": 0.007
},
{
"name": "fonix_mutexes",
"time": 0.0
},
{
"name": "gandcrab_mutexes",
"time": 0.0
},
{
"name": "germanwiper_mutexes",
"time": 0.0
},
{
"name": "medusalocker_mutexes",
"time": 0.0
},
{
"name": "medusalocker_regkeys",
"time": 0.0
},
{
"name": "nemty_mutexes",
"time": 0.0
},
{
"name": "nemty_regkeys",
"time": 0.0
},
{
"name": "pysa_mutexes",
"time": 0.0
},
{
"name": "ransomware_radamant",
"time": 0.0
},
{
"name": "ransomware_recyclebin",
"time": 0.0
},
{
"name": "revil_mutexes",
"time": 0.001
},
{
"name": "ransomware_revil_regkey",
"time": 0.0
},
{
"name": "satan_mutexes",
"time": 0.0
},
{
"name": "snake_ransom_mutexes",
"time": 0.0
},
{
"name": "stop_ransom_mutexes",
"time": 0.0
},
{
"name": "stop_ransomware_cmd",
"time": 0.0
},
{
"name": "ransomware_stopdjvu",
"time": 0.0
},
{
"name": "rat_beebus_mutexes",
"time": 0.0
},
{
"name": "blacknet_mutexes",
"time": 0.0
},
{
"name": "blackrat_mutexes",
"time": 0.0
},
{
"name": "crat_mutexes",
"time": 0.0
},
{
"name": "dcrat_files",
"time": 0.0
},
{
"name": "dcrat_mutexes",
"time": 0.0
},
{
"name": "rat_fynloski_mutexes",
"time": 0.0
},
{
"name": "limerat_mutexes",
"time": 0.0
},
{
"name": "limerat_regkeys",
"time": 0.0
},
{
"name": "lodarat_file_behavior",
"time": 0.0
},
{
"name": "modirat_behavior",
"time": 0.0
},
{
"name": "njrat_regkeys",
"time": 0.0
},
{
"name": "obliquerat_files",
"time": 0.0
},
{
"name": "obliquerat_mutexes",
"time": 0.0
},
{
"name": "parallax_mutexes",
"time": 0.0
},
{
"name": "rat_pcclient",
"time": 0.0
},
{
"name": "rat_plugx_mutexes",
"time": 0.0
},
{
"name": "rat_poisonivy_mutexes",
"time": 0.0
},
{
"name": "rat_quasar_mutexes",
"time": 0.0
},
{
"name": "ratsnif_mutexes",
"time": 0.0
},
{
"name": "rat_spynet",
"time": 0.0
},
{
"name": "venomrat_mutexes",
"time": 0.0
},
{
"name": "warzonerat_files",
"time": 0.0
},
{
"name": "warzonerat_regkeys",
"time": 0.0
},
{
"name": "xpertrat_files",
"time": 0.0
},
{
"name": "xpertrat_mutexes",
"time": 0.0
},
{
"name": "rat_xtreme_mutexes",
"time": 0.0
},
{
"name": "reads_password_database",
"time": 0.0
},
{
"name": "recon_fingerprint",
"time": 0.001
},
{
"name": "remcos_files",
"time": 0.0
},
{
"name": "remcos_mutexes",
"time": 0.0
},
{
"name": "remcos_regkeys",
"time": 0.0
},
{
"name": "rdptcp_key",
"time": 0.0
},
{
"name": "uses_rdp_clip",
"time": 0.0
},
{
"name": "uses_remote_desktop_session",
"time": 0.0
},
{
"name": "removes_networking_icon",
"time": 0.0
},
{
"name": "removes_pinned_programs",
"time": 0.0
},
{
"name": "removes_security_maintenance_icon",
"time": 0.0
},
{
"name": "removes_startmenu_defaults",
"time": 0.0
},
{
"name": "removes_username_startmenu",
"time": 0.0
},
{
"name": "spicyhotpot_behavior",
"time": 0.0
},
{
"name": "sniffer_winpcap",
"time": 0.0
},
{
"name": "spreading_autoruninf",
"time": 0.0
},
{
"name": "stealth_hidden_extension",
"time": 0.0
},
{
"name": "stealth_hiddenreg",
"time": 0.0
},
{
"name": "stealth_hide_notifications",
"time": 0.0
},
{
"name": "stealth_webhistory",
"time": 0.0
},
{
"name": "sysinternals_psexec",
"time": 0.0
},
{
"name": "sysinternals_tools",
"time": 0.0
},
{
"name": "language_check_registry",
"time": 0.001
},
{
"name": "tampers_etw",
"time": 0.001
},
{
"name": "lsa_tampering",
"time": 0.0
},
{
"name": "tampers_powershell_logging",
"time": 0.0
},
{
"name": "targeted_flame",
"time": 0.0
},
{
"name": "territorial_disputes_sigs",
"time": 0.006
},
{
"name": "trickbot_mutex",
"time": 0.0
},
{
"name": "fleercivet_mutex",
"time": 0.0
},
{
"name": "lokibot_mutexes",
"time": 0.0
},
{
"name": "ursnif_behavior",
"time": 0.001
},
{
"name": "uses_adfind",
"time": 0.0
},
{
"name": "uses_ms_protocol",
"time": 0.0
},
{
"name": "neshta_mutexes",
"time": 0.0
},
{
"name": "renamer_mutexes",
"time": 0.0
},
{
"name": "owa_web_shell_files",
"time": 0.0
},
{
"name": "web_shell_files",
"time": 0.0
},
{
"name": "web_shell_processes",
"time": 0.0
},
{
"name": "dotnet_csc_build",
"time": 0.0
},
{
"name": "mavinject_lolbin",
"time": 0.0
},
{
"name": "multiple_explorer_instances",
"time": 0.0
},
{
"name": "script_tool_executed",
"time": 0.0
},
{
"name": "suspicious_certutil_use",
"time": 0.0
},
{
"name": "suspicious_command_tools",
"time": 0.003
},
{
"name": "suspicious_mpcmdrun_use",
"time": 0.0
},
{
"name": "suspicious_ping_use",
"time": 0.0
},
{
"name": "uses_powershell_copyitem",
"time": 0.0
},
{
"name": "uses_windows_utilities",
"time": 0.004
},
{
"name": "uses_windows_utilities_appcmd",
"time": 0.0
},
{
"name": "uses_windows_utilities_csvde_ldifde",
"time": 0.0
},
{
"name": "uses_windows_utilities_cipher",
"time": 0.0
},
{
"name": "uses_windows_utilities_clickonce",
"time": 0.0
},
{
"name": "uses_windows_utilities_curl",
"time": 0.0
},
{
"name": "uses_windows_utilities_dsquery",
"time": 0.0
},
{
"name": "uses_windows_utilities_esentutl",
"time": 0.0
},
{
"name": "uses_windows_utilities_finger",
"time": 0.0
},
{
"name": "uses_windows_utilities_mode",
"time": 0.0
},
{
"name": "uses_windows_utilities_ntdsutil",
"time": 0.0
},
{
"name": "uses_windows_utilities_nltest",
"time": 0.0
},
{
"name": "uses_windows_utilities_setx",
"time": 0.0
},
{
"name": "uses_windows_utilities_xcopy",
"time": 0.0
},
{
"name": "wmic_command_suspicious",
"time": 0.0
},
{
"name": "scrcons_wmi_script_consumer",
"time": 0.0
},
{
"name": "allaple_mutexes",
"time": 0.0
}
],
"reporting": [
{
"name": "BinGraph",
"time": 0.0
}
]
},
"target": {
"category": "file",
"file": {
"name": "test_win.bat",
"path": "/opt/CAPEv2/storage/binaries/6f7caa9e033886dc9944c6dc966a7730833622b21570d45e2da206b180083f55",
"guest_paths": "",
"size": 93,
"crc32": "C684FC53",
"md5": "80465455b46676f45790ee8f73e75059",
"sha1": "c364111154e6e2b24642399b5af52b0af075e36e",
"sha256": "6f7caa9e033886dc9944c6dc966a7730833622b21570d45e2da206b180083f55",
"sha512": "f41341eed78727192abc5d32f013b2e4f097807a6072c94c02931d30e44b4feb536a968a29e3f9389da634c1683680779e1b5b2834b67fff8209c08ad7fa1c17",
"rh_hash": null,
"ssdeep": "3:mKDDro+Lzjoue4FAq6xgjxFV2gjiLDzn:hnVLnouZOq6xaHM/",
"type": "DOS batch file, ASCII text",
"yara": [],
"cape_yara": [],
"clamav": [],
"tlsh": "T1C2B0120FF0962D73C3E1CC7428800441380C17E7C850CC2161C7193404C14C0328E931",
"sha3_384": "a577b851bc168daef4672eec933ca9a2e6416931389cb36e85a469d75d776e017f93ab1d54578bb7a3a63c2b14f13e92",
"yara_hash": "fe117167fbd534878f0d9e7ac29fa46e0f54b9514e7874201773b1e16ed71c1a",
"options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
"data": "@echo off\necho CAPE Test Sample\necho Hostname: %COMPUTERNAME%\necho User: %USERNAME%\nipconfig\n",
"strings": [],
"virustotal": {
"error": true,
"msg": "Unable to complete connection to VirusTotal. Status code: 429"
},
"executed_tools": [
"overlay",
"msi_extract",
"kixtart_extract",
"vbe_extract",
"batch_extract",
"UnAutoIt_extract",
"UPX_unpack",
"RarSFX_extract",
"Inno_extract",
"SevenZip_unpack",
"de4dot_deobfuscate",
"eziriz_deobfuscate",
"office_one"
],
"cape_type_code": 0,
"cape_type": ""
}
},
"procdump": [
{
"name": "4c0faeea52c90d27fc245f77c8c05d5e36e4e5d3e667aca752d7f82d3425ca55",
"path": "/opt/CAPEv2/storage/analyses/6/procdump/4c0faeea52c90d27fc245f77c8c05d5e36e4e5d3e667aca752d7f82d3425ca55",
"guest_paths": "1;?C:\\Windows\\SysWOW64\\cmd.exe;?C:\\Windows\\SysWOW64\\cmd.exe;?",
"size": 355840,
"crc32": "A7214248",
"md5": "e7571a78256a7cca06921a979b6f9679",
"sha1": "c19780a6950dfbb64abd5336a247fd856c6b63cb",
"sha256": "4c0faeea52c90d27fc245f77c8c05d5e36e4e5d3e667aca752d7f82d3425ca55",
"sha512": "863dc7864887a82259a7259caf3607791d64ce7a58f8e7f45ef0da4171278e8e076843a4f3004c66181a53645ccf7e87564f10fc76342d4ce4a7a0b0333624dc",
"rh_hash": null,
"ssdeep": "6144:jzIMI70hNHU4zrUMBpsQgvmspRJZtvhnXfm+:j8MG0h1U4jHsQgvBpRJZbfp",
"type": "PE32 executable (console) Intel 80386, for MS Windows",
"yara": [],
"cape_yara": [],
"clamav": [],
"tlsh": "T17E748C62A24481B5DDA1227C699EF6368D7DFC208B2151C3A3D1AFDBF8307C1793935A",
"sha3_384": "8da05df1eb611dd629342d5483661e62a6085e8ea67e6cd67125a39e6d337da6fa922e0ab353271cb617c61cc74f44e8",
"yara_hash": "fe117167fbd534878f0d9e7ac29fa46e0f54b9514e7874201773b1e16ed71c1a",
"options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
"pe": {
"guest_signers": {
"aux_sha1": null,
"aux_timestamp": null,
"aux_valid": false,
"aux_error": true,
"aux_error_desc": "This file format cannot be verified because it is not recognized.",
"aux_signers": []
},
"digital_signers": [],
"imagebase": "0x00540000",
"entrypoint": "0x0001bd70",
"ep_bytes": "e8f0050000e96efeffffcccccccccccc",
"peid_signatures": null,
"reported_checksum": "0x0003d8b4",
"actual_checksum": "0x0005ca99",
"osversion": "10.0",
"machine_type": "IMAGE_FILE_MACHINE_I386",
"pdbpath": "cmd.pdb",
"imports": {
"api-ms-win-crt-string-l1-1-0": {
"dll": "api-ms-win-crt-string-l1-1-0.dll",
"imports": [
{
"address": "0x58b474",
"name": "memset"
},
{
"address": "0x58b478",
"name": "wcsncmp"
},
{
"address": "0x58b47c",
"name": "wcsspn"
}
]
},
"api-ms-win-crt-time-l1-1-0": {
"dll": "api-ms-win-crt-time-l1-1-0.dll",
"imports": [
{
"address": "0x58b484",
"name": "_time32"
}
]
},
"api-ms-win-crt-runtime-l1-1-0": {
"dll": "api-ms-win-crt-runtime-l1-1-0.dll",
"imports": [
{
"address": "0x58b460",
"name": "_register_thread_local_exe_atexit_callback"
},
{
"address": "0x58b464",
"name": "_c_exit"
},
{
"address": "0x58b468",
"name": "_initterm_e"
},
{
"address": "0x58b46c",
"name": "_initterm"
}
]
},
"api-ms-win-crt-private-l1-1-0": {
"dll": "api-ms-win-crt-private-l1-1-0.dll",
"imports": [
{
"address": "0x58b318",
"name": "_o__get_initial_narrow_environment"
},
{
"address": "0x58b31c",
"name": "_o__get_osfhandle"
},
{
"address": "0x58b320",
"name": "_o__getch"
},
{
"address": "0x58b324",
"name": "_o__initialize_narrow_environment"
},
{
"address": "0x58b328",
"name": "_o__initialize_onexit_table"
},
{
"address": "0x58b32c",
"name": "_o__invalid_parameter_noinfo"
},
{
"address": "0x58b330",
"name": "_o__open_osfhandle"
},
{
"address": "0x58b334",
"name": "_o__pclose"
},
{
"address": "0x58b338",
"name": "_o__pipe"
},
{
"address": "0x58b33c",
"name": "_o__purecall"
},
{
"address": "0x58b340",
"name": "_o__register_onexit_function"
},
{
"address": "0x58b344",
"name": "_o__seh_filter_exe"
},
{
"address": "0x58b348",
"name": "_o__set_app_type"
},
{
"address": "0x58b34c",
"name": "_o__set_fmode"
},
{
"address": "0x58b350",
"name": "_o__set_new_mode"
},
{
"address": "0x58b354",
"name": "_o__setmode"
},
{
"address": "0x58b358",
"name": "memmove"
},
{
"address": "0x58b35c",
"name": "_o__ultoa"
},
{
"address": "0x58b360",
"name": "_o__ultoa_s"
},
{
"address": "0x58b364",
"name": "_o__wcsicmp"
},
{
"address": "0x58b368",
"name": "_o__wcslwr"
},
{
"address": "0x58b36c",
"name": "_o__wcsnicmp"
},
{
"address": "0x58b370",
"name": "_o__wcsupr"
},
{
"address": "0x58b374",
"name": "_o__wpopen"
},
{
"address": "0x58b378",
"name": "_o__wtol"
},
{
"address": "0x58b37c",
"name": "_o_calloc"
},
{
"address": "0x58b380",
"name": "_o_exit"
},
{
"address": "0x58b384",
"name": "_o_feof"
},
{
"address": "0x58b388",
"name": "_o_ferror"
},
{
"address": "0x58b38c",
"name": "_o_fflush"
},
{
"address": "0x58b390",
"name": "_o_fgets"
},
{
"address": "0x58b394",
"name": "_o_free"
},
{
"address": "0x58b398",
"name": "_o_iswalpha"
},
{
"address": "0x58b39c",
"name": "_o_iswdigit"
},
{
"address": "0x58b3a0",
"name": "_o_iswspace"
},
{
"address": "0x58b3a4",
"name": "_o_iswxdigit"
},
{
"address": "0x58b3a8",
"name": "_o_malloc"
},
{
"address": "0x58b3ac",
"name": "_o_qsort"
},
{
"address": "0x58b3b0",
"name": "_o_rand"
},
{
"address": "0x58b3b4",
"name": "_o_realloc"
},
{
"address": "0x58b3b8",
"name": "_o_setlocale"
},
{
"address": "0x58b3bc",
"name": "_o_srand"
},
{
"address": "0x58b3c0",
"name": "_o_terminate"
},
{
"address": "0x58b3c4",
"name": "_o_towlower"
},
{
"address": "0x58b3c8",
"name": "_o_towupper"
},
{
"address": "0x58b3cc",
"name": "_o_wcstol"
},
{
"address": "0x58b3d0",
"name": "_o_wcstoul"
},
{
"address": "0x58b3d4",
"name": "_except_handler4_common"
},
{
"address": "0x58b3d8",
"name": "__CxxFrameHandler3"
},
{
"address": "0x58b3dc",
"name": "__current_exception"
},
{
"address": "0x58b3e0",
"name": "__current_exception_context"
},
{
"address": "0x58b3e4",
"name": "_CxxThrowException"
},
{
"address": "0x58b3e8",
"name": "_o__exit"
},
{
"address": "0x58b3ec",
"name": "_o__errno"
},
{
"address": "0x58b3f0",
"name": "_o__dup2"
},
{
"address": "0x58b3f4",
"name": "_o__dup"
},
{
"address": "0x58b3f8",
"name": "_o__crt_atexit"
},
{
"address": "0x58b3fc",
"name": "_o__controlfp_s"
},
{
"address": "0x58b400",
"name": "_o__configure_narrow_argv"
},
{
"address": "0x58b404",
"name": "_o__configthreadlocale"
},
{
"address": "0x58b408",
"name": "_o__close"
},
{
"address": "0x58b40c",
"name": "_o__cexit"
},
{
"address": "0x58b410",
"name": "_o__callnewh"
},
{
"address": "0x58b414",
"name": "_o___stdio_common_vswscanf"
},
{
"address": "0x58b418",
"name": "_o___stdio_common_vswprintf"
},
{
"address": "0x58b41c",
"name": "_o___stdio_common_vfprintf"
},
{
"address": "0x58b420",
"name": "_o___std_exception_destroy"
},
{
"address": "0x58b424",
"name": "_o___std_exception_copy"
},
{
"address": "0x58b428",
"name": "_o___p__commode"
},
{
"address": "0x58b42c",
"name": "_o___p___argv"
},
{
"address": "0x58b430",
"name": "_o___p___argc"
},
{
"address": "0x58b434",
"name": "_o___acrt_iob_func"
},
{
"address": "0x58b438",
"name": "wcsstr"
},
{
"address": "0x58b43c",
"name": "wcsrchr"
},
{
"address": "0x58b440",
"name": "wcschr"
},
{
"address": "0x58b444",
"name": "longjmp"
},
{
"address": "0x58b448",
"name": "_local_unwind4"
},
{
"address": "0x58b44c",
"name": "_setjmp3"
},
{
"address": "0x58b450",
"name": "memcmp"
},
{
"address": "0x58b454",
"name": "memcpy"
},
{
"address": "0x58b458",
"name": "_o__tell"
}
]
},
"ntdll": {
"dll": "ntdll.dll",
"imports": [
{
"address": "0x58b49c",
"name": "RtlCreateUnicodeStringFromAsciiz"
},
{
"address": "0x58b4a0",
"name": "NtOpenProcessToken"
},
{
"address": "0x58b4a4",
"name": "NtQueryInformationToken"
},
{
"address": "0x58b4a8",
"name": "NtClose"
},
{
"address": "0x58b4ac",
"name": "NtOpenThreadToken"
},
{
"address": "0x58b4b0",
"name": "NtCancelSynchronousIoFile"
},
{
"address": "0x58b4b4",
"name": "RtlNtStatusToDosError"
},
{
"address": "0x58b4b8",
"name": "NtQueryInformationProcess"
},
{
"address": "0x58b4bc",
"name": "NtSetInformationProcess"
},
{
"address": "0x58b4c0",
"name": "NtQueryVolumeInformationFile"
},
{
"address": "0x58b4c4",
"name": "NtSetInformationFile"
},
{
"address": "0x58b4c8",
"name": "RtlDosPathNameToRelativeNtPathName_U_WithStatus"
},
{
"address": "0x58b4cc",
"name": "NtOpenFile"
},
{
"address": "0x58b4d0",
"name": "RtlReleaseRelativeName"
},
{
"address": "0x58b4d4",
"name": "RtlFreeUnicodeString"
},
{
"address": "0x58b4d8",
"name": "RtlFindLeastSignificantBit"
},
{
"address": "0x58b4dc",
"name": "RtlDosPathNameToNtPathName_U"
},
{
"address": "0x58b4e0",
"name": "NtFsControlFile"
},
{
"address": "0x58b4e4",
"name": "RtlFreeHeap"
}
]
},
"api-ms-win-core-libraryloader-l1-2-0": {
"dll": "api-ms-win-core-libraryloader-l1-2-0.dll",
"imports": [
{
"address": "0x58b174",
"name": "LoadLibraryExW"
},
{
"address": "0x58b178",
"name": "GetModuleHandleExW"
},
{
"address": "0x58b17c",
"name": "GetModuleFileNameW"
},
{
"address": "0x58b180",
"name": "GetModuleHandleW"
},
{
"address": "0x58b184",
"name": "GetProcAddress"
},
{
"address": "0x58b188",
"name": "GetModuleFileNameA"
}
]
},
"api-ms-win-core-synch-l1-1-0": {
"dll": "api-ms-win-core-synch-l1-1-0.dll",
"imports": [
{
"address": "0x58b288",
"name": "InitializeCriticalSection"
},
{
"address": "0x58b28c",
"name": "ReleaseSRWLockExclusive"
},
{
"address": "0x58b290",
"name": "ReleaseSRWLockShared"
},
{
"address": "0x58b294",
"name": "TryAcquireSRWLockExclusive"
},
{
"address": "0x58b298",
"name": "ReleaseMutex"
},
{
"address": "0x58b29c",
"name": "AcquireSRWLockExclusive"
},
{
"address": "0x58b2a0",
"name": "WaitForSingleObject"
},
{
"address": "0x58b2a4",
"name": "WaitForSingleObjectEx"
},
{
"address": "0x58b2a8",
"name": "InitializeCriticalSectionEx"
},
{
"address": "0x58b2ac",
"name": "LeaveCriticalSection"
},
{
"address": "0x58b2b0",
"name": "AcquireSRWLockShared"
},
{
"address": "0x58b2b4",
"name": "ReleaseSemaphore"
},
{
"address": "0x58b2b8",
"name": "EnterCriticalSection"
},
{
"address": "0x58b2bc",
"name": "DeleteCriticalSection"
},
{
"address": "0x58b2c0",
"name": "CreateMutexExW"
},
{
"address": "0x58b2c4",
"name": "CreateSemaphoreExW"
},
{
"address": "0x58b2c8",
"name": "OpenSemaphoreW"
}
]
},
"api-ms-win-core-heap-l1-1-0": {
"dll": "api-ms-win-core-heap-l1-1-0.dll",
"imports": [
{
"address": "0x58b138",
"name": "HeapReAlloc"
},
{
"address": "0x58b13c",
"name": "GetProcessHeap"
},
{
"address": "0x58b140",
"name": "HeapSize"
},
{
"address": "0x58b144",
"name": "HeapFree"
},
{
"address": "0x58b148",
"name": "HeapAlloc"
},
{
"address": "0x58b14c",
"name": "HeapSetInformation"
}
]
},
"api-ms-win-core-errorhandling-l1-1-0": {
"dll": "api-ms-win-core-errorhandling-l1-1-0.dll",
"imports": [
{
"address": "0x58b084",
"name": "SetErrorMode"
},
{
"address": "0x58b088",
"name": "SetLastError"
},
{
"address": "0x58b08c",
"name": "SetUnhandledExceptionFilter"
},
{
"address": "0x58b090",
"name": "UnhandledExceptionFilter"
},
{
"address": "0x58b094",
"name": "GetLastError"
}
]
},
"api-ms-win-core-threadpool-l1-2-0": {
"dll": "api-ms-win-core-threadpool-l1-2-0.dll",
"imports": [
{
"address": "0x58b2f8",
"name": "SetThreadpoolTimer"
},
{
"address": "0x58b2fc",
"name": "CloseThreadpoolTimer"
},
{
"address": "0x58b300",
"name": "WaitForThreadpoolTimerCallbacks"
},
{
"address": "0x58b304",
"name": "CreateThreadpoolTimer"
}
]
},
"api-ms-win-core-processthreads-l1-1-0": {
"dll": "api-ms-win-core-processthreads-l1-1-0.dll",
"imports": [
{
"address": "0x58b208",
"name": "DeleteProcThreadAttributeList"
},
{
"address": "0x58b20c",
"name": "CreateProcessAsUserW"
},
{
"address": "0x58b210",
"name": "CreateProcessW"
},
{
"address": "0x58b214",
"name": "UpdateProcThreadAttribute"
},
{
"address": "0x58b218",
"name": "InitializeProcThreadAttributeList"
},
{
"address": "0x58b21c",
"name": "GetCurrentThreadId"
},
{
"address": "0x58b220",
"name": "GetCurrentProcess"
},
{
"address": "0x58b224",
"name": "ResumeThread"
},
{
"address": "0x58b228",
"name": "GetCurrentProcessId"
},
{
"address": "0x58b22c",
"name": "GetExitCodeProcess"
},
{
"address": "0x58b230",
"name": "TerminateProcess"
},
{
"address": "0x58b234",
"name": "OpenThread"
},
{
"address": "0x58b238",
"name": "GetStartupInfoW"
}
]
},
"api-ms-win-core-localization-l1-2-0": {
"dll": "api-ms-win-core-localization-l1-2-0.dll",
"imports": [
{
"address": "0x58b190",
"name": "GetUserDefaultLCID"
},
{
"address": "0x58b194",
"name": "GetCPInfo"
},
{
"address": "0x58b198",
"name": "SetThreadLocale"
},
{
"address": "0x58b19c",
"name": "GetACP"
},
{
"address": "0x58b1a0",
"name": "GetThreadLocale"
},
{
"address": "0x58b1a4",
"name": "GetLocaleInfoW"
},
{
"address": "0x58b1a8",
"name": "FormatMessageW"
}
]
},
"api-ms-win-core-debug-l1-1-0": {
"dll": "api-ms-win-core-debug-l1-1-0.dll",
"imports": [
{
"address": "0x58b064",
"name": "OutputDebugStringW"
},
{
"address": "0x58b068",
"name": "IsDebuggerPresent"
},
{
"address": "0x58b06c",
"name": "DebugBreak"
}
]
},
"api-ms-win-core-handle-l1-1-0": {
"dll": "api-ms-win-core-handle-l1-1-0.dll",
"imports": [
{
"address": "0x58b12c",
"name": "CloseHandle"
},
{
"address": "0x58b130",
"name": "DuplicateHandle"
}
]
},
"api-ms-win-core-memory-l1-1-0": {
"dll": "api-ms-win-core-memory-l1-1-0.dll",
"imports": [
{
"address": "0x58b1b0",
"name": "VirtualQuery"
},
{
"address": "0x58b1b4",
"name": "VirtualFree"
},
{
"address": "0x58b1b8",
"name": "VirtualAlloc"
},
{
"address": "0x58b1bc",
"name": "ReadProcessMemory"
}
]
},
"api-ms-win-core-console-l1-1-0": {
"dll": "api-ms-win-core-console-l1-1-0.dll",
"imports": [
{
"address": "0x58b008",
"name": "GetConsoleOutputCP"
},
{
"address": "0x58b00c",
"name": "SetConsoleMode"
},
{
"address": "0x58b010",
"name": "GetConsoleMode"
},
{
"address": "0x58b014",
"name": "SetConsoleCtrlHandler"
},
{
"address": "0x58b018",
"name": "WriteConsoleW"
},
{
"address": "0x58b01c",
"name": "ReadConsoleW"
}
]
},
"api-ms-win-core-file-l1-1-0": {
"dll": "api-ms-win-core-file-l1-1-0.dll",
"imports": [
{
"address": "0x58b09c",
"name": "WriteFile"
},
{
"address": "0x58b0a0",
"name": "FindFirstFileExW"
},
{
"address": "0x58b0a4",
"name": "CompareFileTime"
},
{
"address": "0x58b0a8",
"name": "RemoveDirectoryW"
},
{
"address": "0x58b0ac",
"name": "GetFileSize"
},
{
"address": "0x58b0b0",
"name": "GetFileAttributesW"
},
{
"address": "0x58b0b4",
"name": "GetFileType"
},
{
"address": "0x58b0b8",
"name": "GetVolumePathNameW"
},
{
"address": "0x58b0bc",
"name": "SetFilePointer"
},
{
"address": "0x58b0c0",
"name": "SetFileTime"
},
{
"address": "0x58b0c4",
"name": "DeleteFileW"
},
{
"address": "0x58b0c8",
"name": "SetEndOfFile"
},
{
"address": "0x58b0cc",
"name": "SetFileAttributesW"
},
{
"address": "0x58b0d0",
"name": "GetDriveTypeW"
},
{
"address": "0x58b0d4",
"name": "CreateDirectoryW"
},
{
"address": "0x58b0d8",
"name": "ReadFile"
},
{
"address": "0x58b0dc",
"name": "GetVolumeInformationW"
},
{
"address": "0x58b0e0",
"name": "GetDiskFreeSpaceExW"
},
{
"address": "0x58b0e4",
"name": "CreateFileW"
},
{
"address": "0x58b0e8",
"name": "FlushFileBuffers"
},
{
"address": "0x58b0ec",
"name": "GetFileAttributesExW"
},
{
"address": "0x58b0f0",
"name": "FindClose"
},
{
"address": "0x58b0f4",
"name": "FindNextFileW"
},
{
"address": "0x58b0f8",
"name": "FindFirstFileW"
},
{
"address": "0x58b0fc",
"name": "FileTimeToLocalFileTime"
},
{
"address": "0x58b100",
"name": "GetFullPathNameW"
},
{
"address": "0x58b104",
"name": "SetFilePointerEx"
}
]
},
"api-ms-win-core-string-l1-1-0": {
"dll": "api-ms-win-core-string-l1-1-0.dll",
"imports": [
{
"address": "0x58b27c",
"name": "WideCharToMultiByte"
},
{
"address": "0x58b280",
"name": "MultiByteToWideChar"
}
]
},
"api-ms-win-core-processenvironment-l1-1-0": {
"dll": "api-ms-win-core-processenvironment-l1-1-0.dll",
"imports": [
{
"address": "0x58b1d0",
"name": "SetEnvironmentStringsW"
},
{
"address": "0x58b1d4",
"name": "SetEnvironmentVariableW"
},
{
"address": "0x58b1d8",
"name": "FreeEnvironmentStringsW"
},
{
"address": "0x58b1dc",
"name": "SearchPathW"
},
{
"address": "0x58b1e0",
"name": "GetCommandLineW"
},
{
"address": "0x58b1e4",
"name": "GetStdHandle"
},
{
"address": "0x58b1e8",
"name": "GetCurrentDirectoryW"
},
{
"address": "0x58b1ec",
"name": "SetCurrentDirectoryW"
},
{
"address": "0x58b1f0",
"name": "ExpandEnvironmentStringsW"
},
{
"address": "0x58b1f4",
"name": "GetEnvironmentVariableW"
},
{
"address": "0x58b1f8",
"name": "GetEnvironmentStringsW"
}
]
},
"api-ms-win-core-console-l2-1-0": {
"dll": "api-ms-win-core-console-l2-1-0.dll",
"imports": [
{
"address": "0x58b024",
"name": "SetConsoleCursorPosition"
},
{
"address": "0x58b028",
"name": "FlushConsoleInputBuffer"
},
{
"address": "0x58b02c",
"name": "FillConsoleOutputCharacterW"
},
{
"address": "0x58b030",
"name": "ScrollConsoleScreenBufferW"
},
{
"address": "0x58b034",
"name": "GetConsoleScreenBufferInfo"
},
{
"address": "0x58b038",
"name": "SetConsoleTextAttribute"
},
{
"address": "0x58b03c",
"name": "FillConsoleOutputAttribute"
}
]
},
"api-ms-win-security-base-l1-1-0": {
"dll": "api-ms-win-security-base-l1-1-0.dll",
"imports": [
{
"address": "0x58b48c",
"name": "RevertToSelf"
},
{
"address": "0x58b490",
"name": "GetFileSecurityW"
},
{
"address": "0x58b494",
"name": "GetSecurityDescriptorOwner"
}
]
},
"api-ms-win-core-sysinfo-l1-1-0": {
"dll": "api-ms-win-core-sysinfo-l1-1-0.dll",
"imports": [
{
"address": "0x58b2d0",
"name": "SetLocalTime"
},
{
"address": "0x58b2d4",
"name": "GetSystemTime"
},
{
"address": "0x58b2d8",
"name": "GetSystemTimeAsFileTime"
},
{
"address": "0x58b2dc",
"name": "GetVersion"
},
{
"address": "0x58b2e0",
"name": "GetLocalTime"
},
{
"address": "0x58b2e4",
"name": "GetWindowsDirectoryW"
}
]
},
"api-ms-win-core-timezone-l1-1-0": {
"dll": "api-ms-win-core-timezone-l1-1-0.dll",
"imports": [
{
"address": "0x58b30c",
"name": "SystemTimeToFileTime"
},
{
"address": "0x58b310",
"name": "FileTimeToSystemTime"
}
]
},
"api-ms-win-core-datetime-l1-1-0": {
"dll": "api-ms-win-core-datetime-l1-1-0.dll",
"imports": [
{
"address": "0x58b058",
"name": "GetTimeFormatW"
},
{
"address": "0x58b05c",
"name": "GetDateFormatW"
}
]
},
"api-ms-win-core-systemtopology-l1-1-0": {
"dll": "api-ms-win-core-systemtopology-l1-1-0.dll",
"imports": [
{
"address": "0x58b2ec",
"name": "GetNumaNodeProcessorMaskEx"
},
{
"address": "0x58b2f0",
"name": "GetNumaHighestNodeNumber"
}
]
},
"api-ms-win-core-console-l2-2-0": {
"dll": "api-ms-win-core-console-l2-2-0.dll",
"imports": [
{
"address": "0x58b044",
"name": "SetConsoleTitleW"
},
{
"address": "0x58b048",
"name": "GetConsoleTitleW"
}
]
},
"api-ms-win-core-processenvironment-l1-2-0": {
"dll": "api-ms-win-core-processenvironment-l1-2-0.dll",
"imports": [
{
"address": "0x58b200",
"name": "NeedCurrentDirectoryForExePathW"
}
]
},
"api-ms-win-core-registry-l1-1-0": {
"dll": "api-ms-win-core-registry-l1-1-0.dll",
"imports": [
{
"address": "0x58b258",
"name": "RegCreateKeyExW"
},
{
"address": "0x58b25c",
"name": "RegCloseKey"
},
{
"address": "0x58b260",
"name": "RegSetValueExW"
},
{
"address": "0x58b264",
"name": "RegEnumKeyExW"
},
{
"address": "0x58b268",
"name": "RegDeleteKeyExW"
},
{
"address": "0x58b26c",
"name": "RegDeleteValueW"
},
{
"address": "0x58b270",
"name": "RegOpenKeyExW"
},
{
"address": "0x58b274",
"name": "RegQueryValueExW"
}
]
},
"api-ms-win-core-file-l2-1-0": {
"dll": "api-ms-win-core-file-l2-1-0.dll",
"imports": [
{
"address": "0x58b10c",
"name": "CreateHardLinkW"
},
{
"address": "0x58b110",
"name": "GetFileInformationByHandleEx"
},
{
"address": "0x58b114",
"name": "MoveFileWithProgressW"
},
{
"address": "0x58b118",
"name": "MoveFileExW"
},
{
"address": "0x58b11c",
"name": "CreateSymbolicLinkW"
}
]
},
"api-ms-win-core-heap-l2-1-0": {
"dll": "api-ms-win-core-heap-l2-1-0.dll",
"imports": [
{
"address": "0x58b154",
"name": "GlobalFree"
},
{
"address": "0x58b158",
"name": "LocalFree"
},
{
"address": "0x58b15c",
"name": "GlobalAlloc"
}
]
},
"api-ms-win-core-file-l2-1-2": {
"dll": "api-ms-win-core-file-l2-1-2.dll",
"imports": [
{
"address": "0x58b124",
"name": "CopyFileW"
}
]
},
"api-ms-win-core-io-l1-1-0": {
"dll": "api-ms-win-core-io-l1-1-0.dll",
"imports": [
{
"address": "0x58b16c",
"name": "DeviceIoControl"
}
]
},
"api-ms-win-core-console-l3-2-0": {
"dll": "api-ms-win-core-console-l3-2-0.dll",
"imports": [
{
"address": "0x58b050",
"name": "GetConsoleWindow"
}
]
},
"api-ms-win-core-processtopology-l1-1-0": {
"dll": "api-ms-win-core-processtopology-l1-1-0.dll",
"imports": [
{
"address": "0x58b248",
"name": "GetThreadGroupAffinity"
}
]
},
"api-ms-win-core-processthreads-l1-1-1": {
"dll": "api-ms-win-core-processthreads-l1-1-1.dll",
"imports": [
{
"address": "0x58b240",
"name": "IsProcessorFeaturePresent"
}
]
},
"api-ms-win-core-profile-l1-1-0": {
"dll": "api-ms-win-core-profile-l1-1-0.dll",
"imports": [
{
"address": "0x58b250",
"name": "QueryPerformanceCounter"
}
]
},
"api-ms-win-core-interlocked-l1-1-0": {
"dll": "api-ms-win-core-interlocked-l1-1-0.dll",
"imports": [
{
"address": "0x58b164",
"name": "InitializeSListHead"
}
]
},
"api-ms-win-core-misc-l1-1-0": {
"dll": "api-ms-win-core-misc-l1-1-0.dll",
"imports": [
{
"address": "0x58b1c4",
"name": "lstrcmpiW"
},
{
"address": "0x58b1c8",
"name": "lstrcmpW"
}
]
},
"api-ms-win-core-apiquery-l1-1-0": {
"dll": "api-ms-win-core-apiquery-l1-1-0.dll",
"imports": [
{
"address": "0x58b000",
"name": "ApiSetQueryApiSetPresence"
}
]
},
"api-ms-win-core-delayload-l1-1-1": {
"dll": "api-ms-win-core-delayload-l1-1-1.dll",
"imports": [
{
"address": "0x58b07c",
"name": "ResolveDelayLoadedAPI"
}
]
},
"api-ms-win-core-delayload-l1-1-0": {
"dll": "api-ms-win-core-delayload-l1-1-0.dll",
"imports": [
{
"address": "0x58b074",
"name": "DelayLoadFailureHook"
}
]
}
},
"exported_dll_name": null,
"exports": [],
"dirents": [
{
"name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
"virtual_address": "0x0004b4f4",
"size": "0x00000348"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
"virtual_address": "0x0004f000",
"size": "0x000084f8"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
"virtual_address": "0x00058000",
"size": "0x0000254c"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
"virtual_address": "0x00002d74",
"size": "0x00000054"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_TLS",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
"virtual_address": "0x00001000",
"size": "0x000000c0"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_IAT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
"virtual_address": "0x0002ecdc",
"size": "0x000000a0"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
"virtual_address": "0x00000000",
"size": "0x00000000"
}
],
"sections": [
{
"name": ".text",
"raw_address": "0x00000400",
"virtual_address": "0x00001000",
"virtual_size": "0x0002e000",
"size_of_data": "0x0002e000",
"characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x60000020",
"entropy": "6.54"
},
{
"name": ".data",
"raw_address": "0x0002e400",
"virtual_address": "0x0002f000",
"virtual_size": "0x0001c000",
"size_of_data": "0x0001b200",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
"characteristics_raw": "0xc0000040",
"entropy": "0.12"
},
{
"name": ".idata",
"raw_address": "0x00049600",
"virtual_address": "0x0004b000",
"virtual_size": "0x00003000",
"size_of_data": "0x00002a00",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
"characteristics_raw": "0xc0000040",
"entropy": "5.52"
},
{
"name": ".didat",
"raw_address": "0x0004c000",
"virtual_address": "0x0004e000",
"virtual_size": "0x00001000",
"size_of_data": "0x00000200",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
"characteristics_raw": "0xc0000040",
"entropy": "0.78"
},
{
"name": ".rsrc",
"raw_address": "0x0004c200",
"virtual_address": "0x0004f000",
"virtual_size": "0x00009000",
"size_of_data": "0x00008600",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x40000040",
"entropy": "4.36"
},
{
"name": ".reloc",
"raw_address": "0x00054800",
"virtual_address": "0x00058000",
"virtual_size": "0x00003000",
"size_of_data": "0x00002600",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x42000040",
"entropy": "6.76"
}
],
"overlay": null,
"resources": [
{
"name": "MUI",
"offset": "0x00057420",
"size": "0x000000d8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.66"
},
{
"name": "RT_ICON",
"offset": "0x0004f778",
"size": "0x00000668",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.65"
},
{
"name": "RT_ICON",
"offset": "0x0004fde0",
"size": "0x000002e8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.44"
},
{
"name": "RT_ICON",
"offset": "0x000500c8",
"size": "0x00000128",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.17"
},
{
"name": "RT_ICON",
"offset": "0x000501f0",
"size": "0x00000ea8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.06"
},
{
"name": "RT_ICON",
"offset": "0x00051098",
"size": "0x000008a8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.07"
},
{
"name": "RT_ICON",
"offset": "0x00051940",
"size": "0x00000568",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "0.71"
},
{
"name": "RT_ICON",
"offset": "0x00051ea8",
"size": "0x0000169e",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "7.85"
},
{
"name": "RT_ICON",
"offset": "0x00053548",
"size": "0x000025a8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.88"
},
{
"name": "RT_ICON",
"offset": "0x00055af0",
"size": "0x000010a8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.97"
},
{
"name": "RT_ICON",
"offset": "0x00056b98",
"size": "0x00000468",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.17"
},
{
"name": "RT_GROUP_ICON",
"offset": "0x00057000",
"size": "0x00000092",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.90"
},
{
"name": "RT_VERSION",
"offset": "0x00057098",
"size": "0x00000388",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "3.53"
},
{
"name": "RT_MANIFEST",
"offset": "0x0004f350",
"size": "0x00000426",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "5.00"
}
],
"versioninfo": [
{
"name": "CompanyName",
"value": "Microsoft Corporation"
},
{
"name": "FileDescription",
"value": "Windows Command Processor"
},
{
"name": "FileVersion",
"value": "10.0.22621.1635 (WinBuild.160101.0800)"
},
{
"name": "InternalName",
"value": "cmd"
},
{
"name": "LegalCopyright",
"value": "© Microsoft Corporation. All rights reserved."
},
{
"name": "OriginalFilename",
"value": "Cmd.Exe"
},
{
"name": "ProductName",
"value": "Microsoft® Windows® Operating System"
},
{
"name": "ProductVersion",
"value": "10.0.22621.1635"
},
{
"name": "Translation",
"value": "0x0409 0x04b0"
}
],
"imphash": "fd97afec4dc549dcd1fe1dad15035df9",
"timestamp": "2000-03-26 22:56:14",
"icon": "iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAACp0lEQVR4nO2ZPW/TQByHH8cpUyWQ2NjKd+AjNK1U1ZGQkBjZYWNhQAIEUmFgKuwsSEhISElV0TeoVFUsnSLUgS6J2nRJA0mTpknss8OQ2thN3Z7Tl5ORH+lyf/sud7+fz3e+OJCQkBBrNIDnL2ceaZo2q1qMDJ1O+/HMqxfvAAvopQE0TZu9e+++MlHvP+QAePgge+bxl8+f3gIfgRpgpq9a7Em4QmWPgetAC78BPZWiUS2f2Vkv+BG5/Hidftav2/PlbvJz89ZtN0wDKTfon0nrzLx+868TXwMnxbLJcZyB2M2FENi2jRACy7K83DRN2u02nU4Hy7I8TT9/lQYuRir0MsUEz8Dx4YoLp45APp8nn8+Hli8sLFy4oKiEGsjlchiGgWEYzM3Neefn5+cD9RYXFy9PnQRSc2B6etqLp6amvHhychKApaWlC5Ylz7kn8cTEBADLy8vnFjMMUgZOu4UAMpkMACsrKxckSx7vOXB8Ecpms94EDruF/IyPjwdGYXV1NbTT0dFRAG/Nd9F1HV3XA88LaQPVWmOg0DCMMxsAME2TWq3G2NgYzWaTRqOBpmlS3/Vj2za2bYeWV37vD5wbei/UbDapVCrs7e1Rr9eHbebcRDIghGBnZ4dSqcTh4eFlaYqElIGDgwOKxSK7u7sIIS5bUyRONSCEYGtri2KxKDWhVOBbhYLLULlcZnNzk263e+WiojAwAo7jUCgU2N7eVqEnMgEDpmmysbFBtVpVpScyngHH6bG2tkar1VKpJzLeVkLYduzEw//0iyyuJAZUkxhQTWJANYkB1cTeQGA3+u1HQZWOoUkD7NfrmfXvX9W9XovAs6dP7gBdQMDRf2TACHDjKI2oEBaBLvAHaAC2a0CjPxrXAF2RMFkEfRPhL5ASEhLiw1+s5V9Z8HnusgAAAABJRU5ErkJggg==",
"icon_hash": "00d152c1523e56c619d25f6c96c21a41",
"icon_fuzzy": "e55641fba39eaff4ee89e5fc0af8f337",
"icon_dhash": "a2ae7a370101a3c0",
"imported_dll_count": 41
},
"data": null,
"strings": [
"SetThreadLocale",
"WNetGetConnectionWStub",
"OutputDebugStringW",
"u$h %T",
".COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC",
"RWRVh",
"0f;2u f",
"CCCC@40`P@ ",
"APerformUnaryOperation: '%c'",
",wP{.w",
"__current_exception_context",
"50G0O0T0Y0_0h0n0",
"tSj/Z",
"A=K=b=f=l=p=v=z=",
"D$8t'",
"QueryPerformanceCounter",
"",
"_o_iswalpha",
"%hs(%d) tid(%x) %08X %ws",
"UnhandledExceptionFilter",
"1 232c2l2x2",
";+;7;c;i;",
"PPQhP",
"yy/MM/dd",
"RtlCreateUnicodeStringFromAsciiz",
"api-ms-win-core-heap-l1-1-0.dll",
"_o___stdio_common_vfprintf",
";1;G;[;a;",
"lbvPibv",
"uGj\\Z",
"_o_setlocale",
" ",
"738v8",
"0,0K0d061",
"f;D$`",
"CMDEXTVERSION",
"uBSWR",
"_o___stdio_common_vswscanf",
"VS_VERSION_INFO",
"api-ms-win-crt-private-l1-1-0.dll",
"6^7j7w7",
"<>3S3`3g3}3",
">x?}?",
"v,Sh<#T",
"YYf9}",
"bad array new length",
"LeaveCriticalSection",
"%02d%s%02d%s",
"ASSOC",
"en-US",
"api-ms-win-core-file-l1-1-0.dll",
"96:=:E:",
"onecore\\base\\cmd\\StartShellExecServiceProvider.h",
"j.Yf;",
"9#9<9l9",
"3?4H4",
";C=R=",
"RtlNtStatusToDosError",
"uRVWj",
"7(7.7E7L7Y7f7k7t7",
"BrandingFormatString",
"dvPIUv",
">F>L>R>W>h>s>~>",
";+;X;k;s;",
"u&QWS",
"onecore\\internal\\sdk\\inc\\wil\\opensource\\wil\\resource.h",
"GlobalAlloc",
"%s %s ",
"< >->A>V>q>",
"SVWt j",
" /D /c\"",
";#;/;8;@;_;e;",
".data$pr00",
"334Q4`4",
"CloseThreadpoolTimer",
"Vf9\\$.t",
"VirtualAlloc",
" /K %s",
" %x %c",
"GetTimeFormatW",
"COLOR",
"CreateMutexExW",
"SetConsoleTextAttribute",
"DebugBreak",
"D$dP3",
"6#6'6+6/6",
".CRT$XIC",
" &()[]{}^=;!%'+,`~",
"2T3{3",
"D$(PV",
"=8=y=",
"1h2q2v2",
"0123456789",
"4 4&464?4E4U4^4d4p4v4",
"0Y1`1o1z1",
" ",
".gljmp",
":-u\"j",
"ReadProcessMemory",
"NtQueryInformationProcess",
"D$tPh",
"0J1X1j1",
"9_:|:",
"wcschr",
"REM /?",
"VQh@5T",
"8j9p9",
"3-3I3X3i3",
":(;m;",
"6M6x6",
"RoInitialize",
"8-8B8[8g8m8",
"P8QRu",
"TryAcquireSRWLockExclusive",
"Qh4*T",
"_CxxThrowException",
"COPYCMD",
"|$hWQ",
"api-ms-win-core-systemtopology-l1-1-0.dll",
"",
"PVhP)T",
"MessageBeepStub",
"@$9Q w",
".data$dk00",
"=B>I>",
"1$222X2",
"9T$Hu",
"ProductName",
"D$LPV",
"__current_exception",
"VPSRW",
"api-ms-win-core-synch-l1-1-0.dll",
":3;<;B;G;Z;f;r;z;",
"NtSetInformationProcess",
"_o___p___argv",
"",
"D$l;D$p",
"6)707@7F7S7Z7",
"b$j-0",
"QSVWj",
"4D4H4L4P4T4X4",
" name=\"Microsoft.Windows.FileSystem.CMD\"",
"pushd ",
"usebackq",
"ReadConsoleW",
"1 1$1(1,1014181<1@1D1H1L1P1T1X1\\1`1d1h1l1p1t1x1|1",
"api-ms-win-core-file-l2-1-2.dll",
"t$,PQ",
"SetFileTime",
"7(868E8",
"DisableUNCCheck",
"M0T0q0}0",
"f;L$4u",
"u)f9^",
"<\"<.\">)>0>8>@>H>T>]>b>h>r>|>",
" Windows",
";%;G;N;U;`;g;w;",
"VCShv#",
"T$|RP",
"9hX6T",
"5K6V6[6f6",
"_o__get_initial_narrow_environment",
"f;D$,u",
"EXIST",
"9|$Xu+",
"u(Qh@7T",
"9T$Hv",
"_o__wtol",
"GetLocaleInfoW",
"ntdll.dll",
"????????.???",
"Yj f;",
"9B9G9",
"WNetCancelConnection2WStub",
"6L7f7",
"==>\\>b>",
"<>+-*/%()|^&=,",
"7(7K7",
"333O3`3",
"DeleteCriticalSection",
"QQQQP",
"skip=",
"4:5@5v5",
".?AVbad_alloc@std@@",
"_o_calloc",
"NDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD",
"f98u]",
"LogNt",
".rsrc$01",
"t\\SWj",
"GetCurrentThreadId",
"%02d%s%02d%s%02d",
";0;>;G;",
"7C7x7",
"8.8x8",
"2\"2)2C2J2",
"wwwwwwwwp",
"10.0.22621.1635",
"_o__configure_narrow_argv",
"0x1}1",
"Unknown",
"t$TVP",
"3A4H4k4",
"",
"6'747y7",
"api-ms-win-security-base-l1-1-0.dll",
" v,PW",
"Se%ae`",
"=,;+/[] ",
"rmdir ",
"t+Vh5#",
"ARM64",
"_o__invalid_parameter_noinfo",
"T$0QQV",
"SetFileAttributesW",
"Redir: ",
"_o__tell",
"0$0@0h0",
"_o__pclose",
"HIGHESTNUMANODENUMBER",
";<;N;U;m;u;{;",
"D$8PW",
"GetProcessHeap",
"j\"Zf;",
"t$0WS",
"YY[_3",
"",
"GetNumaHighestNodeNumber",
"5A6G6O6X6^6s6",
"?:?h?",
"9\"9*939=9X9s9z9",
"3(3,3@3D3X3\\3p3t3",
".CRT$XCU",
"FindClose",
">*?h?{?",
".rsrc",
"RegDeleteValueW",
"*** Unknown type: %x",
"FillConsoleOutputCharacterW",
"j\\Yf;",
":-;>;",
"3'3-3l3y3",
"Cmd: %s Type: %x ",
"GetDateFormatW",
"=e>k>q>w>}>",
"vTh #T",
".text",
"SetEndOfFile",
"VarFileInfo",
"SVWj*",
" \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"",
"2&353>3K3g3",
"=L=i=o=u={=",
"RRRRP%",
"pwCt9",
"t$$t%S",
"_o_fgets",
"PathCompletionChar",
"7]8~8",
"FlushFileBuffers",
"_o__cexit",
"|]w@j`w",
"cmd.pdb",
".idata$4",
"|$B:t0",
"T$$;T$",
"GetWindowsDirectoryW",
"_o_wcstoul",
"8i8{8",
"GetDiskFreeSpaceExW",
" ",
"4%4.4:4",
":,:4:h:p:x:",
"DeleteFileW",
"ReleaseSRWLockShared",
"Windows Command Processor",
"FileTimeToLocalFileTime",
"j\\Xf9",
">!?&?",
"424@4O4t4",
"SetConsoleCursorPosition",
"D3blc",
"3!3(3-3=3F3Q3f3w3~3",
"GetConsoleOutputCP",
"Vh4*T",
"<#=7=K=_={=",
"?;?G?a?j?q?w?",
">.>D>",
"iH4-N",
"_o__wpopen",
"FailFast",
"Whh7T",
"\"Ph@7T",
"BREAK",
".text$di",
"f90uK",
"0.171=1v1",
"8 8&858M8X8w8",
"START",
"",
"5ntel",
"D$(QP",
"8+8y8",
"505@5K5R5d5y5",
"0G0x071=1G1S1Z1h1s1{1",
"ENABLEEXTENSIONS",
"@PVVWS",
".didat$4",
".text$yd",
"CMDCMDLINE",
"\\Shell\\Open\\Command",
";)E>a>n>",
"?*?1?I?P?u?|?",
"u?h.'",
"L$xQV",
"0-0q0Q2W2]2g2q2x2",
"D$(SPQ",
"Copyright (c) Microsoft Corporation. All rights reserved.",
"api-ms-win-core-threadpool-l1-2-0.dll",
":1;U;s;",
"j:Zf;",
".data$rs$brc",
"4-5H5n5",
"RegOpenKeyExW",
"VShb#",
"Software\\Classes",
"api-ms-win-core-libraryloader-l1-2-0.dll",
"D$ Ph",
"<$<[a>",
"RtlDllShutdownInProgress",
"GetConsoleMode",
"api-ms-win-core-console-l2-1-0.dll",
"0%111=1C1I1O1U1]1c1j1p1u1}1",
"RegQueryValueExW",
"f;D$(u",
"545]5u5",
"3T4X5e5",
":;:A:\\:",
".CRT$XCA",
"f;D$4u",
"CreateHardLinkW",
"D$09L$",
"j.Xf9",
"RemoveDirectoryW",
"FreeEnvironmentStringsW",
"_o_srand",
"_initterm_e",
"_setjmp3",
"2\"2.2;2E2R2]2b2",
"<%<51F1",
"+C F;C w",
"_o___acrt_iob_func",
"43595c5m5s5",
"4O4W4",
"_local_unwind4",
"j\"[f;",
".rdata",
".CRT$XIZ",
"L$0Q3",
"4S546Y6d6y6",
"VtPh(#",
"9^:x:}:",
"api-ms-win-core-processtopology-l1-1-0.dll",
"_o__close",
"_o__initialize_narrow_environment",
"<1<6=J=V=b=n=x=",
"ntrue",
"Wv@!Wv ",
"_o_wcstol",
"<+<0<53>>>C>",
"=5=B=H=[=g=n=}=",
"iWWSQ",
"=/=;=U=o=z=",
".bss$zz",
"YY_^]",
"IF /?",
"6,6D6X6\\6p6t6",
"NtOpenProcessToken",
"_o__wcsnicmp",
"Exception",
"I8SV3",
"2w3}3",
" true",
"Tjjjj",
"101;1L1Y1k1y1",
"5C6K6T6`6",
"_o___std_exception_copy",
".data$00",
"YjdXf;",
".rtc$TZZ",
"_initterm",
"NtOpenFile",
"3#3B3Q3v3",
"5Y5g5n5u5",
"6h46T",
"f9>t#",
"EnterCriticalSection",
"3$4)484G4L4`4o4",
"Msg:[%ws] ",
"!This program cannot be run in DOS mode.",
"4}\"6W",
"4)4.4=4e4k4",
"0(0<0R0e0j0",
"GetVersion",
"",
"WilError_03",
"pqacG%%apppppppaB",
".text$mn",
"f;D$$u",
"j>",
"api-ms-win-core-winrt-l1-1-0.dll",
"10.0.22621.1635 (WinBuild.160101.0800)",
".CRT$XIAC",
"FindNextStreamWStub",
".rtc$TAA",
"MultiByteToWideChar",
"9+9O9V9z9",
"t$du<",
"j:Xf9",
"4>5X6:7~7",
"DIRCMD",
":4:I:S:",
"_o__pipe",
"FormatMessageW",
"NEWWINDOW",
"[%hs]",
"api-ms-win-core-processenvironment-l1-1-0.dll",
"8 8$84888@8X8\\8`8d8h8l8p8t8x8|8",
"@Qm6t",
"2$2*282?2v2",
"MM/dd/yy",
"5=5?6",
"90979M9j9",
"929=9Y9h9w9",
"(caller: %p) ",
"?)?9?I?Y?i?y?",
"HeapReAlloc",
"ReleaseMutex",
"HeapAlloc",
"cG?CCRRRRP`R",
"onecore\\base\\cmd\\maxpathawarestring.cpp",
"Rht+T",
"u*f9~",
"ext-ms-win-appmodel-shellexecute-l1-1-0.dll",
"wcsspn",
" [...]",
"071P1p1",
"AMD64",
"0a0z0",
"_o___p___argc",
"TvP|Wv",
"=2=;=F=",
"t$6",
"5M5T5(6",
"PShc#",
"SetErrorMode",
"3;4G4b4.5N5X5",
"IsDebuggerPresent",
"j\"Xf9",
"@.reloc",
"api-ms-win-core-misc-l1-1-0.dll",
"wcsstr",
">A>c>m>",
"PPPQPPVV",
".text$lp00cmd.exe!20_pri7",
"7!8)888@8H8m8s8z8",
"SVWj$",
">??n?",
":1;s;",
"42474<4[4c4w4",
"NORMAL",
"Yj Zf;",
"ResolveDelayLoadedAPI",
"GetUserDefaultLCID",
"System",
"Software\\Microsoft\\Windows NT\\CurrentVersion",
"HeapSetInformation",
"api-ms-win-core-processthreads-l1-1-1.dll",
"C:\\Windows\\system32\\cmd.exe",
"api-ms-win-core-console-l3-2-0.dll",
"GetThreadLocale",
"j/Xf;",
".text$zz",
"GetCurrentProcessId",
">;>S>",
"GetModuleFileNameW",
"wwwwwwwwwwwwwww",
"7/7Z7i7s7",
"CMD.EXE",
".rdata$r$brc",
"40444H4L4`4d4x4|4",
"api-ms-win-core-sysinfo-l1-1-0.dll",
"j\"Yf9",
"9O\\tcQh",
"9]:D;",
"api-ms-win-core-heap-l2-1-0.dll",
";$;1;V;b;|;",
":I;Y;",
"D$xPS",
"0>0U0e0~0",
"vx>",
"5@6Q6V6i6",
"_o___stdio_common_vswprintf",
"j\\_j:Yf9H",
"QhH(T",
"0(060@0N0X0f0p0",
"2)3b3",
"@PVVWSR",
"<3=d=",
"0%1t1x1",
"D$\\t\"j",
":6;H;b;",
"\\$0SP",
"D$0Ph",
"7M8T8e8",
"777F7K7",
"j-Yf;",
"Xc>",
"FOR /?",
"GeToken: (%x) '%s'",
"%d.%d.%05d.%d",
"DPATH",
".data$r$brc",
"Microsoft",
"_o_iswdigit",
"t5j Y",
"WilFailureNotifyWatchers",
"L$,RQh",
"<4<8<<<@6H6_6e6p6v6",
"uxWh@",
"api-ms-win-core-processthreads-l1-1-0.dll",
"?7?S?\\?",
"DelayedExpansion",
"RtlUnregisterFeatureConfigurationChangeNotification",
"eIDATx",
"!>A>a>k>",
"?#?*?1?8???F?N?V?^?i?n?t?~?",
"VPj!S",
"0'0/0",
"8V9Y:m:s:y:",
"9#9'9=9F9O9W9w9",
".rdata$brc",
"DelayLoadFailureHook",
"LegalCopyright",
"878>8F8N8",
"MKDIR",
"<$<]<",
";$;.;7;A;J;T;];g;y;",
"=F>v>",
"GetSystemTimeAsFileTime",
"F8^f90u",
"GetStdHandle",
";\"<1<>G?Y?e?q?w?",
"D$lPV",
"NtSetInformationFile",
"Qh@7T",
"535C5a5",
"GetLastError",
"RegCreateKeyExW",
"9t:x:|:",
":5:r:",
"ShellExecuteWorker",
"GetVolumeInformationW",
"CloseHandle",
">/?h?",
";+;0;8;Z;y;~;",
"83989",
".text$zy",
"t[QhH+T",
"1+1D1",
"memcpy",
"VVVQV",
".rdata$zz",
".?AVexception@std@@",
"mkdir ",
"<*<2/>_>q>{>",
"2!353g3{3",
"777j7t7z7",
".bss$dk00",
"ext-ms-win-appmodel-shellexecute-l1-1-0",
"PhD-T",
":%:G:r:|:",
" ",
"uD",
"SVWQQj",
"IsProcessorFeaturePresent",
"api-ms-win-core-datetime-l1-1-0.dll",
"_o_fflush",
"8!8;8D9R9W9~9",
"O8j*Z",
"%WINDOWS_COPYRIGHT%",
"6c7j7q7$8=8C8N8W8f8m8w8}8",
"HeapFree",
" ",
"0 0$0(0,0004080<0@0D0H0L0",
"4!5(595G5U5c5q5",
"TITLE",
"_o__seh_filter_exe",
"ScrollConsoleScreenBufferW",
"D$,PV",
"RENAME",
".CRT$XTA",
"GetModuleFileNameA",
"GetFileAttributesExW",
"*)))))))))))))))))))))",
"Vhh7T",
"memcmp",
"31393F3N3a3",
"se%%%%% R",
"D$$SVW",
"j%Yf;",
"2-3]4c4s4{4",
"GetStartupInfoW",
"4&5.5:5E5M5Y5`5l5s5",
"343c3j3,414Y4n4u4",
".bss$pr00",
"MoveFileWithProgressW",
"j:Xf9A",
"SVWj/Xf",
"Ungetting: '%s'",
"_o__dup2",
" Microsoft Corporation. All rights reserved.",
"Windows Command Processor",
"j:Xf;",
"RevertToSelf",
"1)2D2N2",
"OpenThread",
"3#4?4L4p4x4",
"],//cuu",
"RQQVVVP",
"Rh((T",
"GetConsoleScreenBufferInfo",
"5:6A6F6L6",
"_o__crt_atexit",
"RegEnumKeyExW",
"api-ms-win-core-interlocked-l1-1-0.dll",
"_o__wcsupr",
" processorArchitecture=\"x86\"",
"_o__set_fmode",
"FillConsoleOutputAttribute",
">$>5>i>",
".rdata$zzzdbg",
"_o__open_osfhandle",
"VSh\\#",
".rdata$sxdata",
"L$0Qh",
"wait \"\" \"C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat\"",
"1B2O2",
">??E?",
"COMSPEC",
"0\"1R1\\1c1",
"SetThreadUILanguage",
"jUv`FWv",
"SetConsoleTitleW",
"!w\\t&H+",
"1/1t1y1",
"api-ms-win-core-file-l2-1-0.dll",
"f90u)",
"4qaCCRCCCB",
"memset",
"262?2E2u2z2",
"; ;D;P;X;p;x;",
"_o_free",
"D$$Ph",
"QQSVWj",
"515=5C5]5c5v5|5",
"REM/?",
"3e4n4w4}4",
"ENDLOCAL",
"8/8V9",
"GetFileType",
" ",
"WaitForSingleObject",
".CRT$XCAA",
"SetConsoleInputExeNameW",
"f97tb",
"93:::T:[:",
"api-ms-win-core-memory-l1-1-0.dll",
"cv0CWv Dcv",
"u%6RRRRRPp",
"^v0WVv",
"_o__errno",
"System\\Software\\Microsoft\\Command Processor",
"j%Xf9",
"InitializeProcThreadAttributeList",
"465x5",
"j Yf9",
";&;2;>;J;V;b;n;z;",
"NtQueryWnfStateData",
":+:_:r:",
"_o__wcslwr",
"api-ms-win-core-localization-l1-2-0.dll",
" uiAccess=\"false\"",
"wwwwwwwwwwwwwwwwwwwww",
"0'0j0",
"%hs!%p: ",
"_o__getch",
"8I8s8",
"CreateProcessAsUserW",
"L$ h(#",
"PSh^#",
"=!>'>i>n>",
".rdata$zz$brc",
" Operating System",
"3I4X4n4",
"FindFirstStreamWStub",
"GetFileAttributesW",
"GetEnvironmentStringsW",
"uqj?Z",
"bad allocation",
".00cfg",
"0T0b0r0",
"\\CMD.EXE",
"j\\Zf9",
"bv`{bv",
"O",
"<\"",
"QueryFullProcessImageNameWStub",
"__CxxFrameHandler3",
"LookupAccountSidWStub",
"_ _^[",
"FileVersion",
"@_^[]",
"1[1z1",
"CreateSemaphoreExW",
" ",
"667n7",
"Y__^[",
"Qh$4T",
"5d5k5",
"9&u%3",
"NtUpdateWnfStateData",
"=!?;?",
".CRT$XTZ",
"E$uwM",
"=ExitCode",
"9-:S:",
";E;j;z;",
"?#?1?F?T?_?n?s?x?",
"GetThreadGroupAffinity",
"Software\\Microsoft\\Command Processor",
"SetFilePointerEx",
"",
"VirtualFree",
"api-ms-win-core-errorhandling-l1-1-0.dll",
"RegDeleteKeyExW",
"9Z:a:",
".didat$2",
"GetNumaNodeProcessorMaskEx",
"GetConsoleTitleW",
"0\"0(0P0",
"api-ms-win-core-processenvironment-l1-2-0.dll",
"YY[_^",
"Wht*T",
"m;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Users\\malware\\AppData\\Local\\Programs\\Python\\Python310-32\\Scripts\\;C:\\Users\\malware\\AppData\\Local\\Programs\\Python\\Python310-32\\;C:\\Users\\malware\\AppData\\Local\\Microsoft\\WindowsApps",
".rtc$IZZ",
"SetLocalTime",
"FOR/?",
"=0=F=i=",
"D$.PVj",
"%s=%s",
"DoSHChangeNotify",
";|$,u,9L$L|&",
"KERNEL32.DLL",
"W()|&=,;\"",
".idata",
"#>K>S>",
"?(?B?I?[?i?",
"?,?9?G?M?W?\\?b?{?",
"8&8F8\\8",
"PVh0)T",
"SaferWorker",
"=X?x?",
"7#8v8",
"L$4^3",
"1?2[2",
"tAj0Y",
"api-ms-win-core-profile-l1-1-0.dll",
"7=8S8",
"NtCancelSynchronousIoFile",
"RoUninitialize",
"SVWj,",
"%s (%s) %s",
"617:7",
"u0!C\\",
"_o__setmode",
"D$dPQj",
"2B2Z2",
"7\"8<8D8K8V8^8i8",
"%hs(%u)\\%hs!%p: ",
";\\$$r",
"longjmp",
"2=2t2",
"PUSHD",
"0?0N0U0w0",
"_o_terminate",
"GetSystemTime",
"ReturnNt",
"O8j?Z",
"9H9T9",
"9:9S9n9v9",
"0I1`1",
"0-0F0T0^0d0v0",
"j\\Zj:Y",
"1H1",
".rdata$00",
">_^[]",
"w{hx4T",
"GetCurrentProcess",
"GetDriveTypeW",
".CRT$XPZ",
".CRT$XIA",
"InternalName",
"Software\\Policies\\Microsoft\\Windows\\System",
"api-ms-win-core-console-l2-2-0.dll",
"CopyFileExW",
"0f;2u",
"GetCPInfo",
"RtlFindLeastSignificantBit",
"B4;r4u",
".rdata$00$brc",
"_o_realloc",
"RegCloseKey",
"DISABLEDELAYEDEXPANSION",
".didat",
"AutoRun",
"_o__set_app_type",
"g`wPi`w@p`wP",
"BELOWNORMAL",
" />",
"NtFsControlFile"
],
"virustotal": {
"error": true,
"msg": "Unable to complete connection to VirusTotal. Status code: 429"
},
"executed_tools": [
"overlay",
"msi_extract",
"kixtart_extract",
"vbe_extract",
"batch_extract",
"UnAutoIt_extract",
"UPX_unpack",
"RarSFX_extract",
"Inno_extract",
"SevenZip_unpack",
"de4dot_deobfuscate",
"eziriz_deobfuscate",
"office_one"
],
"cape_type_code": 1,
"cape_type": "",
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"module_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"pid": 4136
},
{
"name": "a319c40cd65e2aaf276b878cb491f56ec21ab307ee06aded3b10b328006e34e5",
"path": "/opt/CAPEv2/storage/analyses/6/procdump/a319c40cd65e2aaf276b878cb491f56ec21ab307ee06aded3b10b328006e34e5",
"guest_paths": "1;?C:\\Windows\\SysWOW64\\cmd.exe;?C:\\Windows\\SysWOW64\\cmd.exe;?",
"size": 356864,
"crc32": "3880C3A7",
"md5": "3e373605c6f959d2c39a43349e69dbc0",
"sha1": "7bedbf35dd5809a577c319c40b37bed3a94613bf",
"sha256": "a319c40cd65e2aaf276b878cb491f56ec21ab307ee06aded3b10b328006e34e5",
"sha512": "eb70395e593b5c7afd066d82e2b740aaccd6b7adc1312abcc92976d6166e71f98cbfa445c21cd5597c4896e935414046d92440648daf782eb2c4eefb2a558984",
"rh_hash": null,
"ssdeep": "6144:/zIMI70hNHUZzrUMBpsQgvmspRJZtvhxX1m+:/8MG0h1UZjHsQgvBpRJZ91p",
"type": "PE32 executable (console) Intel 80386, for MS Windows",
"yara": [],
"cape_yara": [],
"clamav": [],
"tlsh": "T137747C62A24441B5DDA1227C699EF6368D7DFC208B2151C3A3D1AFDBF8307C1793935A",
"sha3_384": "84a8687db0a3336e5faca78426ad5e37c2ca8272b8e46ccdfbff724aaeb1f2e5c474902cbcb44d1354cb35b0ee6739df",
"yara_hash": "fe117167fbd534878f0d9e7ac29fa46e0f54b9514e7874201773b1e16ed71c1a",
"options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
"pe": {
"guest_signers": {
"aux_sha1": null,
"aux_timestamp": null,
"aux_valid": false,
"aux_error": true,
"aux_error_desc": "This file format cannot be verified because it is not recognized.",
"aux_signers": []
},
"digital_signers": [],
"imagebase": "0x00540000",
"entrypoint": "0x0001bd70",
"ep_bytes": "e8f0050000e96efeffffcccccccccccc",
"peid_signatures": null,
"reported_checksum": "0x0003d8b4",
"actual_checksum": "0x0005c728",
"osversion": "10.0",
"machine_type": "IMAGE_FILE_MACHINE_I386",
"pdbpath": "cmd.pdb",
"imports": {
"api-ms-win-crt-string-l1-1-0": {
"dll": "api-ms-win-crt-string-l1-1-0.dll",
"imports": [
{
"address": "0x58b474",
"name": "memset"
},
{
"address": "0x58b478",
"name": "wcsncmp"
},
{
"address": "0x58b47c",
"name": "wcsspn"
}
]
},
"api-ms-win-crt-time-l1-1-0": {
"dll": "api-ms-win-crt-time-l1-1-0.dll",
"imports": [
{
"address": "0x58b484",
"name": "_time32"
}
]
},
"api-ms-win-crt-runtime-l1-1-0": {
"dll": "api-ms-win-crt-runtime-l1-1-0.dll",
"imports": [
{
"address": "0x58b460",
"name": "_register_thread_local_exe_atexit_callback"
},
{
"address": "0x58b464",
"name": "_c_exit"
},
{
"address": "0x58b468",
"name": "_initterm_e"
},
{
"address": "0x58b46c",
"name": "_initterm"
}
]
},
"api-ms-win-crt-private-l1-1-0": {
"dll": "api-ms-win-crt-private-l1-1-0.dll",
"imports": [
{
"address": "0x58b318",
"name": "_o__get_initial_narrow_environment"
},
{
"address": "0x58b31c",
"name": "_o__get_osfhandle"
},
{
"address": "0x58b320",
"name": "_o__getch"
},
{
"address": "0x58b324",
"name": "_o__initialize_narrow_environment"
},
{
"address": "0x58b328",
"name": "_o__initialize_onexit_table"
},
{
"address": "0x58b32c",
"name": "_o__invalid_parameter_noinfo"
},
{
"address": "0x58b330",
"name": "_o__open_osfhandle"
},
{
"address": "0x58b334",
"name": "_o__pclose"
},
{
"address": "0x58b338",
"name": "_o__pipe"
},
{
"address": "0x58b33c",
"name": "_o__purecall"
},
{
"address": "0x58b340",
"name": "_o__register_onexit_function"
},
{
"address": "0x58b344",
"name": "_o__seh_filter_exe"
},
{
"address": "0x58b348",
"name": "_o__set_app_type"
},
{
"address": "0x58b34c",
"name": "_o__set_fmode"
},
{
"address": "0x58b350",
"name": "_o__set_new_mode"
},
{
"address": "0x58b354",
"name": "_o__setmode"
},
{
"address": "0x58b358",
"name": "memmove"
},
{
"address": "0x58b35c",
"name": "_o__ultoa"
},
{
"address": "0x58b360",
"name": "_o__ultoa_s"
},
{
"address": "0x58b364",
"name": "_o__wcsicmp"
},
{
"address": "0x58b368",
"name": "_o__wcslwr"
},
{
"address": "0x58b36c",
"name": "_o__wcsnicmp"
},
{
"address": "0x58b370",
"name": "_o__wcsupr"
},
{
"address": "0x58b374",
"name": "_o__wpopen"
},
{
"address": "0x58b378",
"name": "_o__wtol"
},
{
"address": "0x58b37c",
"name": "_o_calloc"
},
{
"address": "0x58b380",
"name": "_o_exit"
},
{
"address": "0x58b384",
"name": "_o_feof"
},
{
"address": "0x58b388",
"name": "_o_ferror"
},
{
"address": "0x58b38c",
"name": "_o_fflush"
},
{
"address": "0x58b390",
"name": "_o_fgets"
},
{
"address": "0x58b394",
"name": "_o_free"
},
{
"address": "0x58b398",
"name": "_o_iswalpha"
},
{
"address": "0x58b39c",
"name": "_o_iswdigit"
},
{
"address": "0x58b3a0",
"name": "_o_iswspace"
},
{
"address": "0x58b3a4",
"name": "_o_iswxdigit"
},
{
"address": "0x58b3a8",
"name": "_o_malloc"
},
{
"address": "0x58b3ac",
"name": "_o_qsort"
},
{
"address": "0x58b3b0",
"name": "_o_rand"
},
{
"address": "0x58b3b4",
"name": "_o_realloc"
},
{
"address": "0x58b3b8",
"name": "_o_setlocale"
},
{
"address": "0x58b3bc",
"name": "_o_srand"
},
{
"address": "0x58b3c0",
"name": "_o_terminate"
},
{
"address": "0x58b3c4",
"name": "_o_towlower"
},
{
"address": "0x58b3c8",
"name": "_o_towupper"
},
{
"address": "0x58b3cc",
"name": "_o_wcstol"
},
{
"address": "0x58b3d0",
"name": "_o_wcstoul"
},
{
"address": "0x58b3d4",
"name": "_except_handler4_common"
},
{
"address": "0x58b3d8",
"name": "__CxxFrameHandler3"
},
{
"address": "0x58b3dc",
"name": "__current_exception"
},
{
"address": "0x58b3e0",
"name": "__current_exception_context"
},
{
"address": "0x58b3e4",
"name": "_CxxThrowException"
},
{
"address": "0x58b3e8",
"name": "_o__exit"
},
{
"address": "0x58b3ec",
"name": "_o__errno"
},
{
"address": "0x58b3f0",
"name": "_o__dup2"
},
{
"address": "0x58b3f4",
"name": "_o__dup"
},
{
"address": "0x58b3f8",
"name": "_o__crt_atexit"
},
{
"address": "0x58b3fc",
"name": "_o__controlfp_s"
},
{
"address": "0x58b400",
"name": "_o__configure_narrow_argv"
},
{
"address": "0x58b404",
"name": "_o__configthreadlocale"
},
{
"address": "0x58b408",
"name": "_o__close"
},
{
"address": "0x58b40c",
"name": "_o__cexit"
},
{
"address": "0x58b410",
"name": "_o__callnewh"
},
{
"address": "0x58b414",
"name": "_o___stdio_common_vswscanf"
},
{
"address": "0x58b418",
"name": "_o___stdio_common_vswprintf"
},
{
"address": "0x58b41c",
"name": "_o___stdio_common_vfprintf"
},
{
"address": "0x58b420",
"name": "_o___std_exception_destroy"
},
{
"address": "0x58b424",
"name": "_o___std_exception_copy"
},
{
"address": "0x58b428",
"name": "_o___p__commode"
},
{
"address": "0x58b42c",
"name": "_o___p___argv"
},
{
"address": "0x58b430",
"name": "_o___p___argc"
},
{
"address": "0x58b434",
"name": "_o___acrt_iob_func"
},
{
"address": "0x58b438",
"name": "wcsstr"
},
{
"address": "0x58b43c",
"name": "wcsrchr"
},
{
"address": "0x58b440",
"name": "wcschr"
},
{
"address": "0x58b444",
"name": "longjmp"
},
{
"address": "0x58b448",
"name": "_local_unwind4"
},
{
"address": "0x58b44c",
"name": "_setjmp3"
},
{
"address": "0x58b450",
"name": "memcmp"
},
{
"address": "0x58b454",
"name": "memcpy"
},
{
"address": "0x58b458",
"name": "_o__tell"
}
]
},
"ntdll": {
"dll": "ntdll.dll",
"imports": [
{
"address": "0x58b49c",
"name": "RtlCreateUnicodeStringFromAsciiz"
},
{
"address": "0x58b4a0",
"name": "NtOpenProcessToken"
},
{
"address": "0x58b4a4",
"name": "NtQueryInformationToken"
},
{
"address": "0x58b4a8",
"name": "NtClose"
},
{
"address": "0x58b4ac",
"name": "NtOpenThreadToken"
},
{
"address": "0x58b4b0",
"name": "NtCancelSynchronousIoFile"
},
{
"address": "0x58b4b4",
"name": "RtlNtStatusToDosError"
},
{
"address": "0x58b4b8",
"name": "NtQueryInformationProcess"
},
{
"address": "0x58b4bc",
"name": "NtSetInformationProcess"
},
{
"address": "0x58b4c0",
"name": "NtQueryVolumeInformationFile"
},
{
"address": "0x58b4c4",
"name": "NtSetInformationFile"
},
{
"address": "0x58b4c8",
"name": "RtlDosPathNameToRelativeNtPathName_U_WithStatus"
},
{
"address": "0x58b4cc",
"name": "NtOpenFile"
},
{
"address": "0x58b4d0",
"name": "RtlReleaseRelativeName"
},
{
"address": "0x58b4d4",
"name": "RtlFreeUnicodeString"
},
{
"address": "0x58b4d8",
"name": "RtlFindLeastSignificantBit"
},
{
"address": "0x58b4dc",
"name": "RtlDosPathNameToNtPathName_U"
},
{
"address": "0x58b4e0",
"name": "NtFsControlFile"
},
{
"address": "0x58b4e4",
"name": "RtlFreeHeap"
}
]
},
"api-ms-win-core-libraryloader-l1-2-0": {
"dll": "api-ms-win-core-libraryloader-l1-2-0.dll",
"imports": [
{
"address": "0x58b174",
"name": "LoadLibraryExW"
},
{
"address": "0x58b178",
"name": "GetModuleHandleExW"
},
{
"address": "0x58b17c",
"name": "GetModuleFileNameW"
},
{
"address": "0x58b180",
"name": "GetModuleHandleW"
},
{
"address": "0x58b184",
"name": "GetProcAddress"
},
{
"address": "0x58b188",
"name": "GetModuleFileNameA"
}
]
},
"api-ms-win-core-synch-l1-1-0": {
"dll": "api-ms-win-core-synch-l1-1-0.dll",
"imports": [
{
"address": "0x58b288",
"name": "InitializeCriticalSection"
},
{
"address": "0x58b28c",
"name": "ReleaseSRWLockExclusive"
},
{
"address": "0x58b290",
"name": "ReleaseSRWLockShared"
},
{
"address": "0x58b294",
"name": "TryAcquireSRWLockExclusive"
},
{
"address": "0x58b298",
"name": "ReleaseMutex"
},
{
"address": "0x58b29c",
"name": "AcquireSRWLockExclusive"
},
{
"address": "0x58b2a0",
"name": "WaitForSingleObject"
},
{
"address": "0x58b2a4",
"name": "WaitForSingleObjectEx"
},
{
"address": "0x58b2a8",
"name": "InitializeCriticalSectionEx"
},
{
"address": "0x58b2ac",
"name": "LeaveCriticalSection"
},
{
"address": "0x58b2b0",
"name": "AcquireSRWLockShared"
},
{
"address": "0x58b2b4",
"name": "ReleaseSemaphore"
},
{
"address": "0x58b2b8",
"name": "EnterCriticalSection"
},
{
"address": "0x58b2bc",
"name": "DeleteCriticalSection"
},
{
"address": "0x58b2c0",
"name": "CreateMutexExW"
},
{
"address": "0x58b2c4",
"name": "CreateSemaphoreExW"
},
{
"address": "0x58b2c8",
"name": "OpenSemaphoreW"
}
]
},
"api-ms-win-core-heap-l1-1-0": {
"dll": "api-ms-win-core-heap-l1-1-0.dll",
"imports": [
{
"address": "0x58b138",
"name": "HeapReAlloc"
},
{
"address": "0x58b13c",
"name": "GetProcessHeap"
},
{
"address": "0x58b140",
"name": "HeapSize"
},
{
"address": "0x58b144",
"name": "HeapFree"
},
{
"address": "0x58b148",
"name": "HeapAlloc"
},
{
"address": "0x58b14c",
"name": "HeapSetInformation"
}
]
},
"api-ms-win-core-errorhandling-l1-1-0": {
"dll": "api-ms-win-core-errorhandling-l1-1-0.dll",
"imports": [
{
"address": "0x58b084",
"name": "SetErrorMode"
},
{
"address": "0x58b088",
"name": "SetLastError"
},
{
"address": "0x58b08c",
"name": "SetUnhandledExceptionFilter"
},
{
"address": "0x58b090",
"name": "UnhandledExceptionFilter"
},
{
"address": "0x58b094",
"name": "GetLastError"
}
]
},
"api-ms-win-core-threadpool-l1-2-0": {
"dll": "api-ms-win-core-threadpool-l1-2-0.dll",
"imports": [
{
"address": "0x58b2f8",
"name": "SetThreadpoolTimer"
},
{
"address": "0x58b2fc",
"name": "CloseThreadpoolTimer"
},
{
"address": "0x58b300",
"name": "WaitForThreadpoolTimerCallbacks"
},
{
"address": "0x58b304",
"name": "CreateThreadpoolTimer"
}
]
},
"api-ms-win-core-processthreads-l1-1-0": {
"dll": "api-ms-win-core-processthreads-l1-1-0.dll",
"imports": [
{
"address": "0x58b208",
"name": "DeleteProcThreadAttributeList"
},
{
"address": "0x58b20c",
"name": "CreateProcessAsUserW"
},
{
"address": "0x58b210",
"name": "CreateProcessW"
},
{
"address": "0x58b214",
"name": "UpdateProcThreadAttribute"
},
{
"address": "0x58b218",
"name": "InitializeProcThreadAttributeList"
},
{
"address": "0x58b21c",
"name": "GetCurrentThreadId"
},
{
"address": "0x58b220",
"name": "GetCurrentProcess"
},
{
"address": "0x58b224",
"name": "ResumeThread"
},
{
"address": "0x58b228",
"name": "GetCurrentProcessId"
},
{
"address": "0x58b22c",
"name": "GetExitCodeProcess"
},
{
"address": "0x58b230",
"name": "TerminateProcess"
},
{
"address": "0x58b234",
"name": "OpenThread"
},
{
"address": "0x58b238",
"name": "GetStartupInfoW"
}
]
},
"api-ms-win-core-localization-l1-2-0": {
"dll": "api-ms-win-core-localization-l1-2-0.dll",
"imports": [
{
"address": "0x58b190",
"name": "GetUserDefaultLCID"
},
{
"address": "0x58b194",
"name": "GetCPInfo"
},
{
"address": "0x58b198",
"name": "SetThreadLocale"
},
{
"address": "0x58b19c",
"name": "GetACP"
},
{
"address": "0x58b1a0",
"name": "GetThreadLocale"
},
{
"address": "0x58b1a4",
"name": "GetLocaleInfoW"
},
{
"address": "0x58b1a8",
"name": "FormatMessageW"
}
]
},
"api-ms-win-core-debug-l1-1-0": {
"dll": "api-ms-win-core-debug-l1-1-0.dll",
"imports": [
{
"address": "0x58b064",
"name": "OutputDebugStringW"
},
{
"address": "0x58b068",
"name": "IsDebuggerPresent"
},
{
"address": "0x58b06c",
"name": "DebugBreak"
}
]
},
"api-ms-win-core-handle-l1-1-0": {
"dll": "api-ms-win-core-handle-l1-1-0.dll",
"imports": [
{
"address": "0x58b12c",
"name": "CloseHandle"
},
{
"address": "0x58b130",
"name": "DuplicateHandle"
}
]
},
"api-ms-win-core-memory-l1-1-0": {
"dll": "api-ms-win-core-memory-l1-1-0.dll",
"imports": [
{
"address": "0x58b1b0",
"name": "VirtualQuery"
},
{
"address": "0x58b1b4",
"name": "VirtualFree"
},
{
"address": "0x58b1b8",
"name": "VirtualAlloc"
},
{
"address": "0x58b1bc",
"name": "ReadProcessMemory"
}
]
},
"api-ms-win-core-console-l1-1-0": {
"dll": "api-ms-win-core-console-l1-1-0.dll",
"imports": [
{
"address": "0x58b008",
"name": "GetConsoleOutputCP"
},
{
"address": "0x58b00c",
"name": "SetConsoleMode"
},
{
"address": "0x58b010",
"name": "GetConsoleMode"
},
{
"address": "0x58b014",
"name": "SetConsoleCtrlHandler"
},
{
"address": "0x58b018",
"name": "WriteConsoleW"
},
{
"address": "0x58b01c",
"name": "ReadConsoleW"
}
]
},
"api-ms-win-core-file-l1-1-0": {
"dll": "api-ms-win-core-file-l1-1-0.dll",
"imports": [
{
"address": "0x58b09c",
"name": "WriteFile"
},
{
"address": "0x58b0a0",
"name": "FindFirstFileExW"
},
{
"address": "0x58b0a4",
"name": "CompareFileTime"
},
{
"address": "0x58b0a8",
"name": "RemoveDirectoryW"
},
{
"address": "0x58b0ac",
"name": "GetFileSize"
},
{
"address": "0x58b0b0",
"name": "GetFileAttributesW"
},
{
"address": "0x58b0b4",
"name": "GetFileType"
},
{
"address": "0x58b0b8",
"name": "GetVolumePathNameW"
},
{
"address": "0x58b0bc",
"name": "SetFilePointer"
},
{
"address": "0x58b0c0",
"name": "SetFileTime"
},
{
"address": "0x58b0c4",
"name": "DeleteFileW"
},
{
"address": "0x58b0c8",
"name": "SetEndOfFile"
},
{
"address": "0x58b0cc",
"name": "SetFileAttributesW"
},
{
"address": "0x58b0d0",
"name": "GetDriveTypeW"
},
{
"address": "0x58b0d4",
"name": "CreateDirectoryW"
},
{
"address": "0x58b0d8",
"name": "ReadFile"
},
{
"address": "0x58b0dc",
"name": "GetVolumeInformationW"
},
{
"address": "0x58b0e0",
"name": "GetDiskFreeSpaceExW"
},
{
"address": "0x58b0e4",
"name": "CreateFileW"
},
{
"address": "0x58b0e8",
"name": "FlushFileBuffers"
},
{
"address": "0x58b0ec",
"name": "GetFileAttributesExW"
},
{
"address": "0x58b0f0",
"name": "FindClose"
},
{
"address": "0x58b0f4",
"name": "FindNextFileW"
},
{
"address": "0x58b0f8",
"name": "FindFirstFileW"
},
{
"address": "0x58b0fc",
"name": "FileTimeToLocalFileTime"
},
{
"address": "0x58b100",
"name": "GetFullPathNameW"
},
{
"address": "0x58b104",
"name": "SetFilePointerEx"
}
]
},
"api-ms-win-core-string-l1-1-0": {
"dll": "api-ms-win-core-string-l1-1-0.dll",
"imports": [
{
"address": "0x58b27c",
"name": "WideCharToMultiByte"
},
{
"address": "0x58b280",
"name": "MultiByteToWideChar"
}
]
},
"api-ms-win-core-processenvironment-l1-1-0": {
"dll": "api-ms-win-core-processenvironment-l1-1-0.dll",
"imports": [
{
"address": "0x58b1d0",
"name": "SetEnvironmentStringsW"
},
{
"address": "0x58b1d4",
"name": "SetEnvironmentVariableW"
},
{
"address": "0x58b1d8",
"name": "FreeEnvironmentStringsW"
},
{
"address": "0x58b1dc",
"name": "SearchPathW"
},
{
"address": "0x58b1e0",
"name": "GetCommandLineW"
},
{
"address": "0x58b1e4",
"name": "GetStdHandle"
},
{
"address": "0x58b1e8",
"name": "GetCurrentDirectoryW"
},
{
"address": "0x58b1ec",
"name": "SetCurrentDirectoryW"
},
{
"address": "0x58b1f0",
"name": "ExpandEnvironmentStringsW"
},
{
"address": "0x58b1f4",
"name": "GetEnvironmentVariableW"
},
{
"address": "0x58b1f8",
"name": "GetEnvironmentStringsW"
}
]
},
"api-ms-win-core-console-l2-1-0": {
"dll": "api-ms-win-core-console-l2-1-0.dll",
"imports": [
{
"address": "0x58b024",
"name": "SetConsoleCursorPosition"
},
{
"address": "0x58b028",
"name": "FlushConsoleInputBuffer"
},
{
"address": "0x58b02c",
"name": "FillConsoleOutputCharacterW"
},
{
"address": "0x58b030",
"name": "ScrollConsoleScreenBufferW"
},
{
"address": "0x58b034",
"name": "GetConsoleScreenBufferInfo"
},
{
"address": "0x58b038",
"name": "SetConsoleTextAttribute"
},
{
"address": "0x58b03c",
"name": "FillConsoleOutputAttribute"
}
]
},
"api-ms-win-security-base-l1-1-0": {
"dll": "api-ms-win-security-base-l1-1-0.dll",
"imports": [
{
"address": "0x58b48c",
"name": "RevertToSelf"
},
{
"address": "0x58b490",
"name": "GetFileSecurityW"
},
{
"address": "0x58b494",
"name": "GetSecurityDescriptorOwner"
}
]
},
"api-ms-win-core-sysinfo-l1-1-0": {
"dll": "api-ms-win-core-sysinfo-l1-1-0.dll",
"imports": [
{
"address": "0x58b2d0",
"name": "SetLocalTime"
},
{
"address": "0x58b2d4",
"name": "GetSystemTime"
},
{
"address": "0x58b2d8",
"name": "GetSystemTimeAsFileTime"
},
{
"address": "0x58b2dc",
"name": "GetVersion"
},
{
"address": "0x58b2e0",
"name": "GetLocalTime"
},
{
"address": "0x58b2e4",
"name": "GetWindowsDirectoryW"
}
]
},
"api-ms-win-core-timezone-l1-1-0": {
"dll": "api-ms-win-core-timezone-l1-1-0.dll",
"imports": [
{
"address": "0x58b30c",
"name": "SystemTimeToFileTime"
},
{
"address": "0x58b310",
"name": "FileTimeToSystemTime"
}
]
},
"api-ms-win-core-datetime-l1-1-0": {
"dll": "api-ms-win-core-datetime-l1-1-0.dll",
"imports": [
{
"address": "0x58b058",
"name": "GetTimeFormatW"
},
{
"address": "0x58b05c",
"name": "GetDateFormatW"
}
]
},
"api-ms-win-core-systemtopology-l1-1-0": {
"dll": "api-ms-win-core-systemtopology-l1-1-0.dll",
"imports": [
{
"address": "0x58b2ec",
"name": "GetNumaNodeProcessorMaskEx"
},
{
"address": "0x58b2f0",
"name": "GetNumaHighestNodeNumber"
}
]
},
"api-ms-win-core-console-l2-2-0": {
"dll": "api-ms-win-core-console-l2-2-0.dll",
"imports": [
{
"address": "0x58b044",
"name": "SetConsoleTitleW"
},
{
"address": "0x58b048",
"name": "GetConsoleTitleW"
}
]
},
"api-ms-win-core-processenvironment-l1-2-0": {
"dll": "api-ms-win-core-processenvironment-l1-2-0.dll",
"imports": [
{
"address": "0x58b200",
"name": "NeedCurrentDirectoryForExePathW"
}
]
},
"api-ms-win-core-registry-l1-1-0": {
"dll": "api-ms-win-core-registry-l1-1-0.dll",
"imports": [
{
"address": "0x58b258",
"name": "RegCreateKeyExW"
},
{
"address": "0x58b25c",
"name": "RegCloseKey"
},
{
"address": "0x58b260",
"name": "RegSetValueExW"
},
{
"address": "0x58b264",
"name": "RegEnumKeyExW"
},
{
"address": "0x58b268",
"name": "RegDeleteKeyExW"
},
{
"address": "0x58b26c",
"name": "RegDeleteValueW"
},
{
"address": "0x58b270",
"name": "RegOpenKeyExW"
},
{
"address": "0x58b274",
"name": "RegQueryValueExW"
}
]
},
"api-ms-win-core-file-l2-1-0": {
"dll": "api-ms-win-core-file-l2-1-0.dll",
"imports": [
{
"address": "0x58b10c",
"name": "CreateHardLinkW"
},
{
"address": "0x58b110",
"name": "GetFileInformationByHandleEx"
},
{
"address": "0x58b114",
"name": "MoveFileWithProgressW"
},
{
"address": "0x58b118",
"name": "MoveFileExW"
},
{
"address": "0x58b11c",
"name": "CreateSymbolicLinkW"
}
]
},
"api-ms-win-core-heap-l2-1-0": {
"dll": "api-ms-win-core-heap-l2-1-0.dll",
"imports": [
{
"address": "0x58b154",
"name": "GlobalFree"
},
{
"address": "0x58b158",
"name": "LocalFree"
},
{
"address": "0x58b15c",
"name": "GlobalAlloc"
}
]
},
"api-ms-win-core-file-l2-1-2": {
"dll": "api-ms-win-core-file-l2-1-2.dll",
"imports": [
{
"address": "0x58b124",
"name": "CopyFileW"
}
]
},
"api-ms-win-core-io-l1-1-0": {
"dll": "api-ms-win-core-io-l1-1-0.dll",
"imports": [
{
"address": "0x58b16c",
"name": "DeviceIoControl"
}
]
},
"api-ms-win-core-console-l3-2-0": {
"dll": "api-ms-win-core-console-l3-2-0.dll",
"imports": [
{
"address": "0x58b050",
"name": "GetConsoleWindow"
}
]
},
"api-ms-win-core-processtopology-l1-1-0": {
"dll": "api-ms-win-core-processtopology-l1-1-0.dll",
"imports": [
{
"address": "0x58b248",
"name": "GetThreadGroupAffinity"
}
]
},
"api-ms-win-core-processthreads-l1-1-1": {
"dll": "api-ms-win-core-processthreads-l1-1-1.dll",
"imports": [
{
"address": "0x58b240",
"name": "IsProcessorFeaturePresent"
}
]
},
"api-ms-win-core-profile-l1-1-0": {
"dll": "api-ms-win-core-profile-l1-1-0.dll",
"imports": [
{
"address": "0x58b250",
"name": "QueryPerformanceCounter"
}
]
},
"api-ms-win-core-interlocked-l1-1-0": {
"dll": "api-ms-win-core-interlocked-l1-1-0.dll",
"imports": [
{
"address": "0x58b164",
"name": "InitializeSListHead"
}
]
},
"api-ms-win-core-misc-l1-1-0": {
"dll": "api-ms-win-core-misc-l1-1-0.dll",
"imports": [
{
"address": "0x58b1c4",
"name": "lstrcmpiW"
},
{
"address": "0x58b1c8",
"name": "lstrcmpW"
}
]
},
"api-ms-win-core-apiquery-l1-1-0": {
"dll": "api-ms-win-core-apiquery-l1-1-0.dll",
"imports": [
{
"address": "0x58b000",
"name": "ApiSetQueryApiSetPresence"
}
]
},
"api-ms-win-core-delayload-l1-1-1": {
"dll": "api-ms-win-core-delayload-l1-1-1.dll",
"imports": [
{
"address": "0x58b07c",
"name": "ResolveDelayLoadedAPI"
}
]
},
"api-ms-win-core-delayload-l1-1-0": {
"dll": "api-ms-win-core-delayload-l1-1-0.dll",
"imports": [
{
"address": "0x58b074",
"name": "DelayLoadFailureHook"
}
]
}
},
"exported_dll_name": null,
"exports": [],
"dirents": [
{
"name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
"virtual_address": "0x0004b4f4",
"size": "0x00000348"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
"virtual_address": "0x0004f000",
"size": "0x000084f8"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
"virtual_address": "0x00058000",
"size": "0x0000254c"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
"virtual_address": "0x00002d74",
"size": "0x00000054"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_TLS",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
"virtual_address": "0x00001000",
"size": "0x000000c0"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_IAT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
"virtual_address": "0x0002ecdc",
"size": "0x000000a0"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
"virtual_address": "0x00000000",
"size": "0x00000000"
}
],
"sections": [
{
"name": ".text",
"raw_address": "0x00000400",
"virtual_address": "0x00001000",
"virtual_size": "0x0002e000",
"size_of_data": "0x0002e000",
"characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x60000020",
"entropy": "6.54"
},
{
"name": ".data",
"raw_address": "0x0002e400",
"virtual_address": "0x0002f000",
"virtual_size": "0x0001c000",
"size_of_data": "0x0001b600",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
"characteristics_raw": "0xc0000040",
"entropy": "0.15"
},
{
"name": ".idata",
"raw_address": "0x00049a00",
"virtual_address": "0x0004b000",
"virtual_size": "0x00003000",
"size_of_data": "0x00002a00",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
"characteristics_raw": "0xc0000040",
"entropy": "5.52"
},
{
"name": ".didat",
"raw_address": "0x0004c400",
"virtual_address": "0x0004e000",
"virtual_size": "0x00001000",
"size_of_data": "0x00000200",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
"characteristics_raw": "0xc0000040",
"entropy": "1.01"
},
{
"name": ".rsrc",
"raw_address": "0x0004c600",
"virtual_address": "0x0004f000",
"virtual_size": "0x00009000",
"size_of_data": "0x00008600",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x40000040",
"entropy": "4.36"
},
{
"name": ".reloc",
"raw_address": "0x00054c00",
"virtual_address": "0x00058000",
"virtual_size": "0x00003000",
"size_of_data": "0x00002600",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x42000040",
"entropy": "6.76"
}
],
"overlay": null,
"resources": [
{
"name": "MUI",
"offset": "0x00057420",
"size": "0x000000d8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.66"
},
{
"name": "RT_ICON",
"offset": "0x0004f778",
"size": "0x00000668",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.65"
},
{
"name": "RT_ICON",
"offset": "0x0004fde0",
"size": "0x000002e8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.44"
},
{
"name": "RT_ICON",
"offset": "0x000500c8",
"size": "0x00000128",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.17"
},
{
"name": "RT_ICON",
"offset": "0x000501f0",
"size": "0x00000ea8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.06"
},
{
"name": "RT_ICON",
"offset": "0x00051098",
"size": "0x000008a8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.07"
},
{
"name": "RT_ICON",
"offset": "0x00051940",
"size": "0x00000568",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "0.71"
},
{
"name": "RT_ICON",
"offset": "0x00051ea8",
"size": "0x0000169e",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "7.85"
},
{
"name": "RT_ICON",
"offset": "0x00053548",
"size": "0x000025a8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.88"
},
{
"name": "RT_ICON",
"offset": "0x00055af0",
"size": "0x000010a8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.97"
},
{
"name": "RT_ICON",
"offset": "0x00056b98",
"size": "0x00000468",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.17"
},
{
"name": "RT_GROUP_ICON",
"offset": "0x00057000",
"size": "0x00000092",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.90"
},
{
"name": "RT_VERSION",
"offset": "0x00057098",
"size": "0x00000388",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "3.53"
},
{
"name": "RT_MANIFEST",
"offset": "0x0004f350",
"size": "0x00000426",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "5.00"
}
],
"versioninfo": [
{
"name": "CompanyName",
"value": "Microsoft Corporation"
},
{
"name": "FileDescription",
"value": "Windows Command Processor"
},
{
"name": "FileVersion",
"value": "10.0.22621.1635 (WinBuild.160101.0800)"
},
{
"name": "InternalName",
"value": "cmd"
},
{
"name": "LegalCopyright",
"value": "© Microsoft Corporation. All rights reserved."
},
{
"name": "OriginalFilename",
"value": "Cmd.Exe"
},
{
"name": "ProductName",
"value": "Microsoft® Windows® Operating System"
},
{
"name": "ProductVersion",
"value": "10.0.22621.1635"
},
{
"name": "Translation",
"value": "0x0409 0x04b0"
}
],
"imphash": "fd97afec4dc549dcd1fe1dad15035df9",
"timestamp": "2000-03-26 22:56:14",
"icon": "iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAACp0lEQVR4nO2ZPW/TQByHH8cpUyWQ2NjKd+AjNK1U1ZGQkBjZYWNhQAIEUmFgKuwsSEhISElV0TeoVFUsnSLUgS6J2nRJA0mTpknss8OQ2thN3Z7Tl5ORH+lyf/sud7+fz3e+OJCQkBBrNIDnL2ceaZo2q1qMDJ1O+/HMqxfvAAvopQE0TZu9e+++MlHvP+QAePgge+bxl8+f3gIfgRpgpq9a7Em4QmWPgetAC78BPZWiUS2f2Vkv+BG5/Hidftav2/PlbvJz89ZtN0wDKTfon0nrzLx+868TXwMnxbLJcZyB2M2FENi2jRACy7K83DRN2u02nU4Hy7I8TT9/lQYuRir0MsUEz8Dx4YoLp45APp8nn8+Hli8sLFy4oKiEGsjlchiGgWEYzM3Neefn5+cD9RYXFy9PnQRSc2B6etqLp6amvHhychKApaWlC5Ylz7kn8cTEBADLy8vnFjMMUgZOu4UAMpkMACsrKxckSx7vOXB8Ecpms94EDruF/IyPjwdGYXV1NbTT0dFRAG/Nd9F1HV3XA88LaQPVWmOg0DCMMxsAME2TWq3G2NgYzWaTRqOBpmlS3/Vj2za2bYeWV37vD5wbei/UbDapVCrs7e1Rr9eHbebcRDIghGBnZ4dSqcTh4eFlaYqElIGDgwOKxSK7u7sIIS5bUyRONSCEYGtri2KxKDWhVOBbhYLLULlcZnNzk263e+WiojAwAo7jUCgU2N7eVqEnMgEDpmmysbFBtVpVpScyngHH6bG2tkar1VKpJzLeVkLYduzEw//0iyyuJAZUkxhQTWJANYkB1cTeQGA3+u1HQZWOoUkD7NfrmfXvX9W9XovAs6dP7gBdQMDRf2TACHDjKI2oEBaBLvAHaAC2a0CjPxrXAF2RMFkEfRPhL5ASEhLiw1+s5V9Z8HnusgAAAABJRU5ErkJggg==",
"icon_hash": "00d152c1523e56c619d25f6c96c21a41",
"icon_fuzzy": "e55641fba39eaff4ee89e5fc0af8f337",
"icon_dhash": "a2ae7a370101a3c0",
"imported_dll_count": 41
},
"data": null,
"strings": [
"SetThreadLocale",
"WNetGetConnectionWStub",
"OutputDebugStringW",
"u$h %T",
".COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC",
"RWRVh",
"0f;2u f",
"CCCC@40`P@ ",
"APerformUnaryOperation: '%c'",
",wP{.w",
"__current_exception_context",
"50G0O0T0Y0_0h0n0",
"tSj/Z",
"A=K=b=f=l=p=v=z=",
"D$8t'",
"QueryPerformanceCounter",
"",
"_o_iswalpha",
"%hs(%d) tid(%x) %08X %ws",
"UnhandledExceptionFilter",
"1 232c2l2x2",
";+;7;c;i;",
"PPQhP",
"yy/MM/dd",
"RtlCreateUnicodeStringFromAsciiz",
"api-ms-win-core-heap-l1-1-0.dll",
"_o___stdio_common_vfprintf",
";1;G;[;a;",
"lbvPibv",
"uGj\\Z",
"_o_setlocale",
" ",
"738v8",
"0,0K0d061",
"f;D$`",
"CMDEXTVERSION",
"uBSWR",
"_o___stdio_common_vswscanf",
"VS_VERSION_INFO",
"api-ms-win-crt-private-l1-1-0.dll",
"6^7j7w7",
"<>3S3`3g3}3",
">x?}?",
"v,Sh<#T",
"YYf9}",
"bad array new length",
"LeaveCriticalSection",
"%02d%s%02d%s",
"ASSOC",
"en-US",
"api-ms-win-core-file-l1-1-0.dll",
"96:=:E:",
"onecore\\base\\cmd\\StartShellExecServiceProvider.h",
"j.Yf;",
"9#9<9l9",
"3?4H4",
";C=R=",
"RtlNtStatusToDosError",
"uRVWj",
"7(7.7E7L7Y7f7k7t7",
"BrandingFormatString",
"dvPIUv",
">F>L>R>W>h>s>~>",
";+;X;k;s;",
"u&QWS",
"onecore\\internal\\sdk\\inc\\wil\\opensource\\wil\\resource.h",
"GlobalAlloc",
"%s %s ",
"< >->A>V>q>",
"SVWt j",
" /D /c\"",
";#;/;8;@;_;e;",
".data$pr00",
"334Q4`4",
"CloseThreadpoolTimer",
"Vf9\\$.t",
"VirtualAlloc",
" /K %s",
" %x %c",
"GetTimeFormatW",
"COLOR",
"CreateMutexExW",
"SetConsoleTextAttribute",
"DebugBreak",
"D$dP3",
"6#6'6+6/6",
".CRT$XIC",
" &()[]{}^=;!%'+,`~",
"2T3{3",
"D$(PV",
"=8=y=",
"1h2q2v2",
"0123456789",
"4 4&464?4E4U4^4d4p4v4",
"0Y1`1o1z1",
" ",
".gljmp",
":-u\"j",
"ReadProcessMemory",
"NtQueryInformationProcess",
"D$tPh",
"0J1X1j1",
"9_:|:",
"wcschr",
"REM /?",
"VQh@5T",
"8j9p9",
"3-3I3X3i3",
":(;m;",
"6M6x6",
"RoInitialize",
"8-8B8[8g8m8",
"P8QRu",
"TryAcquireSRWLockExclusive",
"Qh4*T",
"_CxxThrowException",
"COPYCMD",
"|$hWQ",
"api-ms-win-core-systemtopology-l1-1-0.dll",
"",
"PVhP)T",
"MessageBeepStub",
"@$9Q w",
".data$dk00",
"=B>I>",
"1$222X2",
"9T$Hu",
"ProductName",
"D$LPV",
"__current_exception",
"VPSRW",
"api-ms-win-core-synch-l1-1-0.dll",
":3;<;B;G;Z;f;r;z;",
"pXbs0Xbs ",
"NtSetInformationProcess",
"_o___p___argv",
"",
"D$l;D$p",
"6)707@7F7S7Z7",
"b$j-0",
"QSVWj",
"4D4H4L4P4T4X4",
" name=\"Microsoft.Windows.FileSystem.CMD\"",
"pushd ",
"usebackq",
"ReadConsoleW",
"1 1$1(1,1014181<1@1D1H1L1P1T1X1\\1`1d1h1l1p1t1x1|1",
"api-ms-win-core-file-l2-1-2.dll",
"t$,PQ",
"SetFileTime",
"7(868E8",
"DisableUNCCheck",
"M0T0q0}0",
"f;L$4u",
"u)f9^",
"<\"<.\">)>0>8>@>H>T>]>b>h>r>|>",
" Windows",
";%;G;N;U;`;g;w;",
"VCShv#",
"T$|RP",
"9hX6T",
"5K6V6[6f6",
"_o__get_initial_narrow_environment",
"f;D$,u",
"EXIST",
"9|$Xu+",
"u(Qh@7T",
"9T$Hv",
"_o__wtol",
"GetLocaleInfoW",
"ntdll.dll",
"????????.???",
"Yj f;",
"9B9G9",
"WNetCancelConnection2WStub",
"6L7f7",
"==>\\>b>",
"<>+-*/%()|^&=,",
"7(7K7",
"333O3`3",
"DeleteCriticalSection",
"QQQQP",
"skip=",
"4:5@5v5",
".?AVbad_alloc@std@@",
"_o_calloc",
"NDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD",
"f98u]",
"LogNt",
".rsrc$01",
"t\\SWj",
"cho User: %USERNAME%",
"GetCurrentThreadId",
"%02d%s%02d%s%02d",
";0;>;G;",
"7C7x7",
"8.8x8",
"2\"2)2C2J2",
"wwwwwwwwp",
"10.0.22621.1635",
"_o__configure_narrow_argv",
"0x1}1",
"Unknown",
"t$TVP",
"3A4H4k4",
"",
"6'747y7",
"api-ms-win-security-base-l1-1-0.dll",
" v,PW",
"Se%ae`",
"=,;+/[] ",
"rmdir ",
"t+Vh5#",
"ARM64",
"_o__invalid_parameter_noinfo",
"T$0QQV",
"SetFileAttributesW",
"Redir: ",
"_o__tell",
"0$0@0h0",
"_o__pclose",
"HIGHESTNUMANODENUMBER",
";<;N;U;m;u;{;",
"D$8PW",
"GetProcessHeap",
"j\"Zf;",
"t$0WS",
"YY[_3",
"",
"GetNumaHighestNodeNumber",
"5A6G6O6X6^6s6",
"?:?h?",
"9\"9*939=9X9s9z9",
"ho User: %USERNAME%",
"3(3,3@3D3X3\\3p3t3",
".CRT$XCU",
"FindClose",
">*?h?{?",
".rsrc",
"RegDeleteValueW",
"*** Unknown type: %x",
"FillConsoleOutputCharacterW",
"j\\Yf;",
":-;>;",
"3'3-3l3y3",
"Cmd: %s Type: %x ",
"GetDateFormatW",
"=e>k>q>w>}>",
"vTh #T",
".text",
"SetEndOfFile",
"VarFileInfo",
"SVWj*",
" \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"",
"2&353>3K3g3",
"=L=i=o=u={=",
"RRRRP%",
"pwCt9",
"t$$t%S",
"_o_fgets",
"PathCompletionChar",
"7]8~8",
"FlushFileBuffers",
"_o__cexit",
"|]w@j`w",
"cmd.pdb",
".idata$4",
"|$B:t0",
"T$$;T$",
"GetWindowsDirectoryW",
"_o_wcstoul",
"8i8{8",
"GetDiskFreeSpaceExW",
" ",
"4%4.4:4",
":,:4:h:p:x:",
"DeleteFileW",
"ReleaseSRWLockShared",
"Windows Command Processor",
"FileTimeToLocalFileTime",
"j\\Xf9",
">!?&?",
"424@4O4t4",
"SetConsoleCursorPosition",
"D3blc",
"3!3(3-3=3F3Q3f3w3~3",
"GetConsoleOutputCP",
"Vh4*T",
"<#=7=K=_={=",
"?;?G?a?j?q?w?",
">.>D>",
"iH4-N",
"_o__wpopen",
"FailFast",
"Whh7T",
"\"Ph@7T",
"BREAK",
".text$di",
"f90uK",
"0.171=1v1",
"8 8&858M8X8w8",
"START",
"",
"5ntel",
"D$(QP",
"8+8y8",
"505@5K5R5d5y5",
"0G0x071=1G1S1Z1h1s1{1",
"ENABLEEXTENSIONS",
"@PVVWS",
".didat$4",
".text$yd",
"CMDCMDLINE",
"\\Shell\\Open\\Command",
";)E>a>n>",
"?*?1?I?P?u?|?",
"u?h.'",
"L$xQV",
"0-0q0Q2W2]2g2q2x2",
"D$(SPQ",
"Copyright (c) Microsoft Corporation. All rights reserved.",
"api-ms-win-core-threadpool-l1-2-0.dll",
":1;U;s;",
"j:Zf;",
".data$rs$brc",
"4-5H5n5",
"RegOpenKeyExW",
"VShb#",
"Software\\Classes",
"api-ms-win-core-libraryloader-l1-2-0.dll",
"D$ Ph",
"<$<[a>",
"RtlDllShutdownInProgress",
"GetConsoleMode",
"api-ms-win-core-console-l2-1-0.dll",
"0%111=1C1I1O1U1]1c1j1p1u1}1",
"RegQueryValueExW",
"f;D$(u",
"545]5u5",
"3T4X5e5",
":;:A:\\:",
".CRT$XCA",
"f;D$4u",
"CreateHardLinkW",
"D$09L$",
"j.Xf9",
"RemoveDirectoryW",
"FreeEnvironmentStringsW",
"_o_srand",
"_initterm_e",
"_setjmp3",
"2\"2.2;2E2R2]2b2",
"<%<51F1",
"+C F;C w",
"_o___acrt_iob_func",
"43595c5m5s5",
"4O4W4",
"_local_unwind4",
"j\"[f;",
".rdata",
".CRT$XIZ",
"L$0Q3",
"4S546Y6d6y6",
"VtPh(#",
"9^:x:}:",
"api-ms-win-core-processtopology-l1-1-0.dll",
"_o__close",
"_o__initialize_narrow_environment",
"<1<6=J=V=b=n=x=",
"ntrue",
"Wv@!Wv ",
"_o_wcstol",
"<+<0<53>>>C>",
"=5=B=H=[=g=n=}=",
"iWWSQ",
"=/=;=U=o=z=",
".bss$zz",
"YY_^]",
"IF /?",
"6,6D6X6\\6p6t6",
"NtOpenProcessToken",
"_o__wcsnicmp",
"Exception",
"I8SV3",
"2w3}3",
" true",
"Tjjjj",
"101;1L1Y1k1y1",
"5C6K6T6`6",
"_o___std_exception_copy",
".data$00",
"YjdXf;",
".rtc$TZZ",
"_initterm",
"NtOpenFile",
"3#3B3Q3v3",
"5Y5g5n5u5",
"6h46T",
"f9>t#",
"EnterCriticalSection",
"3$4)484G4L4`4o4",
"Msg:[%ws] ",
"!This program cannot be run in DOS mode.",
"4}\"6W",
"4)4.4=4e4k4",
"0(0<0R0e0j0",
"GetVersion",
"",
"WilError_03",
"pqacG%%apppppppaB",
".text$mn",
"f;D$$u",
"j>",
"api-ms-win-core-winrt-l1-1-0.dll",
"10.0.22621.1635 (WinBuild.160101.0800)",
".CRT$XIAC",
"FindNextStreamWStub",
".rtc$TAA",
"MultiByteToWideChar",
"9+9O9V9z9",
"t$du<",
"j:Xf9",
"4>5X6:7~7",
"DIRCMD",
":4:I:S:",
"_o__pipe",
"FormatMessageW",
"NEWWINDOW",
"[%hs]",
"api-ms-win-core-processenvironment-l1-1-0.dll",
"8 8$84888@8X8\\8`8d8h8l8p8t8x8|8",
"@Qm6t",
"2$2*282?2v2",
"MM/dd/yy",
"5=5?6",
"90979M9j9",
"929=9Y9h9w9",
"(caller: %p) ",
"?)?9?I?Y?i?y?",
"HeapReAlloc",
"ReleaseMutex",
"HeapAlloc",
"cG?CCRRRRP`R",
"onecore\\base\\cmd\\maxpathawarestring.cpp",
"Rht+T",
"u*f9~",
"ext-ms-win-appmodel-shellexecute-l1-1-0.dll",
"wcsspn",
" [...]",
"071P1p1",
"AMD64",
"0a0z0",
"_o___p___argc",
"TvP|Wv",
"=2=;=F=",
"t$6",
"5M5T5(6",
"PShc#",
"SetErrorMode",
"3;4G4b4.5N5X5",
"IsDebuggerPresent",
"j\"Xf9",
"@.reloc",
"api-ms-win-core-misc-l1-1-0.dll",
"wcsstr",
">A>c>m>",
"PPPQPPVV",
".text$lp00cmd.exe!20_pri7",
"7!8)888@8H8m8s8z8",
"SVWj$",
">??n?",
":1;s;",
"42474<4[4c4w4",
"NORMAL",
"Yj Zf;",
"ResolveDelayLoadedAPI",
"GetUserDefaultLCID",
"System",
"Software\\Microsoft\\Windows NT\\CurrentVersion",
"HeapSetInformation",
"api-ms-win-core-processthreads-l1-1-1.dll",
"api-ms-win-core-console-l3-2-0.dll",
"GetThreadLocale",
"j/Xf;",
".text$zz",
"GetCurrentProcessId",
">;>S>",
"GetModuleFileNameW",
"wwwwwwwwwwwwwww",
"7/7Z7i7s7",
"cal\\Temp\\test_win.bat",
"CMD.EXE",
".rdata$r$brc",
"40444H4L4`4d4x4|4",
"api-ms-win-core-sysinfo-l1-1-0.dll",
"j\"Yf9",
"9O\\tcQh",
"9]:D;",
"api-ms-win-core-heap-l2-1-0.dll",
";$;1;V;b;|;",
":I;Y;",
"D$xPS",
"0>0U0e0~0",
"vx>",
"5@6Q6V6i6",
"_o___stdio_common_vswprintf",
"j\\_j:Yf9H",
"QhH(T",
"0(060@0N0X0f0p0",
"2)3b3",
"@PVVWSR",
"<3=d=",
"0%1t1x1",
"D$\\t\"j",
":6;H;b;",
"\\$0SP",
"D$0Ph",
"7M8T8e8",
"777F7K7",
"j-Yf;",
"Xc>",
"FOR /?",
"GeToken: (%x) '%s'",
"%d.%d.%05d.%d",
"DPATH",
".data$r$brc",
"Microsoft",
"_o_iswdigit",
"t5j Y",
"WilFailureNotifyWatchers",
"L$,RQh",
"<4<8<<<@6H6_6e6p6v6",
"uxWh@",
"api-ms-win-core-processthreads-l1-1-0.dll",
"?7?S?\\?",
"DelayedExpansion",
"RtlUnregisterFeatureConfigurationChangeNotification",
"eIDATx",
"!>A>a>k>",
"?#?*?1?8???F?N?V?^?i?n?t?~?",
"VPj!S",
"0'0/0",
"8V9Y:m:s:y:",
"9#9'9=9F9O9W9w9",
" malware",
".rdata$brc",
" %USERNAME%",
"DelayLoadFailureHook",
"LegalCopyright",
"878>8F8N8",
"MKDIR",
"<$<]<",
";$;.;7;A;J;T;];g;y;",
"=F>v>",
"GetSystemTimeAsFileTime",
"F8^f90u",
"GetStdHandle",
";\"<1<>G?Y?e?q?w?",
"D$lPV",
"NtSetInformationFile",
"Qh@7T",
"535C5a5",
"GetLastError",
"RegCreateKeyExW",
"9t:x:|:",
":5:r:",
"ShellExecuteWorker",
"GetVolumeInformationW",
"CloseHandle",
">/?h?",
";+;0;8;Z;y;~;",
"83989",
".text$zy",
"t[QhH+T",
"1+1D1",
"memcpy",
"VVVQV",
".rdata$zz",
".?AVexception@std@@",
"mkdir ",
"<*<2/>_>q>{>",
"2!353g3{3",
"777j7t7z7",
".bss$dk00",
"ext-ms-win-appmodel-shellexecute-l1-1-0",
"PhD-T",
":%:G:r:|:",
" ",
"uD",
"SVWQQj",
"IsProcessorFeaturePresent",
"api-ms-win-core-datetime-l1-1-0.dll",
"_o_fflush",
"8!8;8D9R9W9~9",
"O8j*Z",
"%WINDOWS_COPYRIGHT%",
"6c7j7q7$8=8C8N8W8f8m8w8}8",
"HeapFree",
" ",
"0 0$0(0,0004080<0@0D0H0L0",
"4!5(595G5U5c5q5",
"TITLE",
"_o__seh_filter_exe",
"ScrollConsoleScreenBufferW",
"D$,PV",
"RENAME",
".CRT$XTA",
"GetModuleFileNameA",
"GetFileAttributesExW",
"*)))))))))))))))))))))",
"Vhh7T",
"memcmp",
"31393F3N3a3",
"se%%%%% R",
"D$$SVW",
"j%Yf;",
"2-3]4c4s4{4",
"GetStartupInfoW",
"4&5.5:5E5M5Y5`5l5s5",
"343c3j3,414Y4n4u4",
"pconfig",
".bss$pr00",
"MoveFileWithProgressW",
"j:Xf9A",
"SVWj/Xf",
"Ungetting: '%s'",
"_o__dup2",
" Microsoft Corporation. All rights reserved.",
"Windows Command Processor",
"j:Xf;",
"RevertToSelf",
"1)2D2N2",
"OpenThread",
"3#4?4L4p4x4",
"],//cuu",
"RQQVVVP",
"Rh((T",
"ipconfig",
"GetConsoleScreenBufferInfo",
"5:6A6F6L6",
"_o__crt_atexit",
"RegEnumKeyExW",
"api-ms-win-core-interlocked-l1-1-0.dll",
"_o__wcsupr",
" processorArchitecture=\"x86\"",
"_o__set_fmode",
"FillConsoleOutputAttribute",
">$>5>i>",
".rdata$zzzdbg",
"_o__open_osfhandle",
"VSh\\#",
".rdata$sxdata",
"L$0Qh",
"1B2O2",
">??E?",
"COMSPEC",
"0\"1R1\\1c1",
"SetThreadUILanguage",
"jUv`FWv",
"SetConsoleTitleW",
"!w\\t&H+",
"1/1t1y1",
"api-ms-win-core-file-l2-1-0.dll",
"f90u)",
"4qaCCRCCCB",
"memset",
"262?2E2u2z2",
"; ;D;P;X;p;x;",
"_o_free",
"D$$Ph",
"QQSVWj",
"515=5C5]5c5v5|5",
"REM/?",
"3e4n4w4}4",
"ENDLOCAL",
"8/8V9",
"GetFileType",
" ",
"WaitForSingleObject",
".CRT$XCAA",
"SetConsoleInputExeNameW",
"f97tb",
"93:::T:[:",
"api-ms-win-core-memory-l1-1-0.dll",
"cv0CWv Dcv",
"u%6RRRRRPp",
"^v0WVv",
"_o__errno",
"System\\Software\\Microsoft\\Command Processor",
"j%Xf9",
"InitializeProcThreadAttributeList",
"465x5",
"j Yf9",
";&;2;>;J;V;b;n;z;",
"NtQueryWnfStateData",
":+:_:r:",
"_o__wcslwr",
"api-ms-win-core-localization-l1-2-0.dll",
" uiAccess=\"false\"",
"wwwwwwwwwwwwwwwwwwwww",
"0'0j0",
"%hs!%p: ",
"_o__getch",
"8I8s8",
"CreateProcessAsUserW",
"L$ h(#",
"PSh^#",
"=!>'>i>n>",
".rdata$zz$brc",
" Operating System",
"3I4X4n4",
"lware",
"FindFirstStreamWStub",
"GetFileAttributesW",
"GetEnvironmentStringsW",
"uqj?Z",
"bad allocation",
".00cfg",
"0T0b0r0",
"\\CMD.EXE",
"j\\Zf9",
"bv`{bv",
"O",
"<\"",
"QueryFullProcessImageNameWStub",
"__CxxFrameHandler3",
"LookupAccountSidWStub",
"_ _^[",
"FileVersion",
"@_^[]",
"1[1z1",
"config",
"CreateSemaphoreExW",
" ",
"667n7",
"Y__^[",
"Qh$4T",
"5d5k5",
"9&u%3",
"NtUpdateWnfStateData",
"=!?;?",
".CRT$XTZ",
"E$uwM",
"=ExitCode",
"9-:S:",
";E;j;z;",
"?#?1?F?T?_?n?s?x?",
"GetThreadGroupAffinity",
"Software\\Microsoft\\Command Processor",
"SetFilePointerEx",
"",
"VirtualFree",
"api-ms-win-core-errorhandling-l1-1-0.dll",
"RegDeleteKeyExW",
" enough memory resources are available to process this command.",
"9Z:a:",
".didat$2",
"GetNumaNodeProcessorMaskEx",
"GetConsoleTitleW",
"0\"0(0P0",
"api-ms-win-core-processenvironment-l1-2-0.dll",
"YY[_^",
"Wht*T",
"m;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Users\\malware\\AppData\\Local\\Programs\\Python\\Python310-32\\Scripts\\;C:\\Users\\malware\\AppData\\Local\\Programs\\Python\\Python310-32\\;C:\\Users\\malware\\AppData\\Local\\Microsoft\\WindowsApps",
".rtc$IZZ",
"SetLocalTime",
"FOR/?",
"=0=F=i=",
"D$.PVj",
"%s=%s",
"DoSHChangeNotify",
";|$,u,9L$L|&",
"KERNEL32.DLL",
"W()|&=,;\"",
".idata",
"#>K>S>",
"?(?B?I?[?i?",
"?,?9?G?M?W?\\?b?{?",
"8&8F8\\8",
"PVh0)T",
"SaferWorker",
"=X?x?",
": %USERNAME%",
"7#8v8",
"L$4^3",
"1?2[2",
"tAj0Y",
"api-ms-win-core-profile-l1-1-0.dll",
"7=8S8",
"NtCancelSynchronousIoFile",
"RoUninitialize",
"SVWj,",
"%s (%s) %s",
"617:7",
"u0!C\\",
"_o__setmode",
"D$dPQj",
"2B2Z2",
"7\"8<8D8K8V8^8i8",
"%hs(%u)\\%hs!%p: ",
";\\$$r",
"longjmp",
"2=2t2",
"PUSHD",
"0?0N0U0w0",
"_o_terminate",
"GetSystemTime",
"ReturnNt",
"O8j?Z",
"9H9T9",
"9:9S9n9v9",
"0I1`1",
"0-0F0T0^0d0v0",
"j\\Zj:Y",
"1H1",
".rdata$00",
">_^[]",
"w{hx4T",
"GetCurrentProcess",
"GetDriveTypeW",
".CRT$XPZ",
".CRT$XIA",
"InternalName",
"Software\\Policies\\Microsoft\\Windows\\System",
"api-ms-win-core-console-l2-2-0.dll",
"CopyFileExW",
"0f;2u",
"GetCPInfo",
"RtlFindLeastSignificantBit",
"B4;r4u",
".rdata$00$brc",
"_o_realloc",
"RegCloseKey",
"DISABLEDELAYEDEXPANSION",
".didat",
"AutoRun",
"_o__set_app_type",
"g`wPi`w@p`wP",
"BELOWNORMAL",
" />",
"NtFsControlFile"
],
"virustotal": {
"error": true,
"msg": "Unable to complete connection to VirusTotal. Status code: 429"
},
"executed_tools": [
"overlay",
"msi_extract",
"kixtart_extract",
"vbe_extract",
"batch_extract",
"UnAutoIt_extract",
"UPX_unpack",
"RarSFX_extract",
"Inno_extract",
"SevenZip_unpack",
"de4dot_deobfuscate",
"eziriz_deobfuscate",
"office_one"
],
"cape_type_code": 1,
"cape_type": "",
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"module_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"pid": 5732
}
],
"CAPE": {
"payloads": [],
"configs": []
},
"info": {
"version": "2.5",
"started": "2026-03-12 02:59:55",
"ended": "2026-03-12 03:01:29",
"duration": 94,
"id": 6,
"category": "file",
"custom": "",
"machine": {
"id": 6,
"status": "stopping",
"name": "win11",
"label": "win11",
"platform": "windows",
"manager": "KVM",
"started_on": "2026-03-12 02:59:55",
"shutdown_on": "2026-03-12 03:01:28"
},
"package": "",
"timeout": true,
"tlp": null,
"parent_sample": null,
"options": {},
"source_url": null,
"route": "",
"user_id": 0,
"CAPE_current_commit": "0e35d168c0209bbbce54132708d6139b1e04e531"
},
"behavior": {
"processes": [
{
"process_id": 4136,
"process_name": "cmd.exe",
"parent_id": 1840,
"module_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"first_seen": "2026-03-12 10:00:22,509",
"calls": [
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x7761cd89",
"parentcaller": "0x7764273a",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000248"
},
{
"name": "DesiredAccess",
"value": "0x00000001",
"pretty_value": "KEY_QUERY_VALUE"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\MACHINE\\System\\CurrentControlSet\\Control\\Session Manager"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager"
}
],
"repeated": 0,
"id": 0
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x7761ce26",
"parentcaller": "0x7761cd9f",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000248"
},
{
"name": "ValueName",
"value": "SmtDelaySleepLoopWindowSize"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelaySleepLoopWindowSize"
}
],
"repeated": 0,
"id": 1
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x7761ce26",
"parentcaller": "0x7761cdb1",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000248"
},
{
"name": "ValueName",
"value": "SmtDelaySpinCountThreshold"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelaySpinCountThreshold"
}
],
"repeated": 0,
"id": 2
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x7761ce26",
"parentcaller": "0x7761cdc3",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000248"
},
{
"name": "ValueName",
"value": "SmtDelayBaseYield"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelayBaseYield"
}
],
"repeated": 0,
"id": 3
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x7761ce26",
"parentcaller": "0x7761cdd5",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000248"
},
{
"name": "ValueName",
"value": "SmtFactorYield"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtFactorYield"
}
],
"repeated": 0,
"id": 4
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x7761ce26",
"parentcaller": "0x7761cde7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000248"
},
{
"name": "ValueName",
"value": "SmtDelayMaxYield"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelayMaxYield"
}
],
"repeated": 0,
"id": 5
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x7761cdf5",
"parentcaller": "0x7764273a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000248"
}
],
"repeated": 0,
"id": 6
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x775edf9b",
"parentcaller": "0x7761cba3",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 7
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 8
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "5080",
"caller": "0x775d2c5f",
"parentcaller": "0x775d6be4",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000090"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 3,
"id": 9
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "4164",
"caller": "0x7656e91e",
"parentcaller": "0x7656e82e",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xeef\\x06\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xeef\\x06\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 10
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "4164",
"caller": "0x775edf9b",
"parentcaller": "0x7761cba3",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 11
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "4164",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 12
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "5080",
"caller": "0x7656e91e",
"parentcaller": "0x7656e82e",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x03\\xc4\r\\x00\\xe0\\xedR\\x06\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\xe8\\xedR\\x06\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 13
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "5080",
"caller": "0x775edf9b",
"parentcaller": "0x7761cba3",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 14
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "5080",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 15
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "2316",
"caller": "0x7656e91e",
"parentcaller": "0x7656e82e",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x03\\xc4\\x06\\x00@\\xf3\\xf9\\x04\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x01H\\xf3\\xf9\\x04\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 16
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "2316",
"caller": "0x775edf9b",
"parentcaller": "0x7761cba3",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 17
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "2316",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 18
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "6272",
"caller": "0x7656e91e",
"parentcaller": "0x7656e82e",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x03\\xc4\\x06\\x00\\xb0\\xec\\xe4\\x04\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\xb8\\xec\\xe4\\x04\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 19
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "6272",
"caller": "0x775edf9b",
"parentcaller": "0x7761cba3",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 20
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "6272",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 21
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x005539b4",
"parentcaller": "0x0055bce2",
"category": "threading",
"api": "NtOpenThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000244"
},
{
"name": "DesiredAccess",
"value": "0x001fffff",
"pretty_value": "THREAD_ALL_ACCESS"
},
{
"name": "ProcessId",
"value": "4136"
},
{
"name": "ThreadId",
"value": "18446744073648275455"
}
],
"repeated": 0,
"id": 22
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x005505a0",
"parentcaller": "0x0055bce2",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76c80000"
}
],
"repeated": 0,
"id": 23
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x005505c0",
"parentcaller": "0x0055bce2",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76c80000"
},
{
"name": "FunctionName",
"value": "SetThreadUILanguage"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76cb1f50"
}
],
"repeated": 0,
"id": 24
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x00550589",
"parentcaller": "0x0055bce2",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xfc\\xf8\\xf7\\x02\\xc8\\xf9\\xf7\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xf9\\xf7\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 25
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x005539e6",
"parentcaller": "0x0055bce2",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 26
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x005539e6",
"parentcaller": "0x0055bce2",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "1"
},
{
"name": "TokenInformation",
"value": "\\x00\\xfb\\xf7\\x02\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xa5\\x91\\xba)*\\xb2\\xbc\\x01/\\x0f\\xf7\\x13\\xe9\\x03\\x00\\x00\\xe2\\xbcU\\x00`\\xfb\\xf7\\x026\\xe1es\\xa0\t\\x85s\\x8c\\xac\\x8ds\\xf4\\x919\\x05x\\xaa\\x87s\\xb0\\xfb\\xf7\\x02\\xf4\\xfc\\xf7\\x02 \\xfb\\xf7\\x02\\xd5\\xc6\\xf6\\x00"
}
],
"repeated": 0,
"id": 27
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x005539e6",
"parentcaller": "0x0055bce2",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000248"
},
{
"name": "DesiredAccess",
"value": "0x02000000",
"pretty_value": "MAXIMUM_ALLOWED"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\REGISTRY\\USER\\S-1-5-21-700092837-29143594-334958383-1001"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER"
}
],
"repeated": 0,
"id": 28
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x005539e6",
"parentcaller": "0x0055bce2",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 29
},
{
"timestamp": "2026-03-12 10:00:23,087",
"thread_id": "3820",
"caller": "0x005539e6",
"parentcaller": "0x0055bce2",
"category": "registry",
"api": "NtOpenKeyEx",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000248"
},
{
"name": "ObjectAttributesName",
"value": "Software\\Policies\\Microsoft\\Windows\\System"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System"
}
],
"repeated": 0,
"id": 30
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x005552da",
"parentcaller": "0x0055bce2",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\x00\\x00\\x00@\\xfc\\xf7\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xe8\\x1eT\\x00H\\xfc\\xf7\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 31
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0054a189",
"parentcaller": "0x00553a2b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xac\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00@\\xe2zs\\xc8\\xfb\\xf7\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x1e\\xe9Vv\\xd0\\xfb\\xf7\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 32
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0054a19d",
"parentcaller": "0x00553a2b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x9c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00@\\xe2zs\\xc8\\xfb\\xf7\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x1e\\xe9Vv\\xd0\\xfb\\xf7\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 33
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x005505fc",
"parentcaller": "0x00553a2b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xac\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0\\xfb\\xf7\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xfb\\xf7\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 2,
"id": 34
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00550642",
"parentcaller": "0x00553a2b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x9c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0\\xfb\\xf7\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xfb\\xf7\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 1,
"id": 35
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00549ab7",
"parentcaller": "0x0054a1bd",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 36
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00549ab7",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtOpenKeyEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000250"
},
{
"name": "DesiredAccess",
"value": "0x02000000",
"pretty_value": "MAXIMUM_ALLOWED"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000140"
},
{
"name": "ObjectAttributesName",
"value": "Software\\Microsoft\\Command Processor"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
}
],
"repeated": 0,
"id": 37
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00549af6",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000250"
},
{
"name": "ValueName",
"value": "DisableUNCCheck"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DisableUNCCheck"
}
],
"repeated": 0,
"id": 38
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00549b66",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000250"
},
{
"name": "ValueName",
"value": "EnableExtensions"
},
{
"name": "Type",
"value": "4",
"pretty_value": "REG_DWORD"
},
{
"name": "Information",
"value": "1"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\EnableExtensions"
}
],
"repeated": 0,
"id": 39
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00549bd6",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000250"
},
{
"name": "ValueName",
"value": "DelayedExpansion"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DelayedExpansion"
}
],
"repeated": 0,
"id": 40
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00549c46",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000250"
},
{
"name": "ValueName",
"value": "DefaultColor"
},
{
"name": "Type",
"value": "4",
"pretty_value": "REG_DWORD"
},
{
"name": "Information",
"value": "0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DefaultColor"
}
],
"repeated": 0,
"id": 41
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00549cae",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000250"
},
{
"name": "ValueName",
"value": "CompletionChar"
},
{
"name": "Type",
"value": "4",
"pretty_value": "REG_DWORD"
},
{
"name": "Information",
"value": "9"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\CompletionChar"
}
],
"repeated": 0,
"id": 42
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00549d3f",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000250"
},
{
"name": "ValueName",
"value": "PathCompletionChar"
},
{
"name": "Type",
"value": "4",
"pretty_value": "REG_DWORD"
},
{
"name": "Information",
"value": "9"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\PathCompletionChar"
}
],
"repeated": 0,
"id": 43
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00549e0f",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000250"
},
{
"name": "ValueName",
"value": "AutoRun"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\AutoRun"
}
],
"repeated": 0,
"id": 44
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00549e89",
"parentcaller": "0x0054a1bd",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000250"
}
],
"repeated": 0,
"id": 45
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00549ab7",
"parentcaller": "0x0054a1bd",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 46
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00549ab7",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtOpenKeyEx",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x02000000",
"pretty_value": "MAXIMUM_ALLOWED"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000248"
},
{
"name": "ObjectAttributesName",
"value": "Software\\Microsoft\\Command Processor"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor"
}
],
"repeated": 0,
"id": 47
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00549ab7",
"parentcaller": "0x0054a1bd",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 48
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00549ab7",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtOpenKeyEx",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x02000000",
"pretty_value": "MAXIMUM_ALLOWED"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000140"
},
{
"name": "ObjectAttributesName",
"value": "System\\Software\\Microsoft\\Command Processor"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\Software\\Microsoft\\Command Processor"
}
],
"repeated": 0,
"id": 49
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00549e9a",
"parentcaller": "0x0054a1bd",
"category": "system",
"api": "GetSystemTimeAsFileTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 50
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x03079000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 51
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x03089000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 52
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x03099000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 53
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0054a7b6",
"parentcaller": "0x00552c30",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp"
}
],
"repeated": 0,
"id": 54
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0055320a",
"parentcaller": "0x0054a7e2",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x03068fd8",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users"
},
{
"name": "FirstCreateTimeLow",
"value": "0xbb4eff2e"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01d861d1"
}
],
"repeated": 0,
"id": 55
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00553223",
"parentcaller": "0x0054a7e2",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000250"
}
],
"repeated": 0,
"id": 56
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0055320a",
"parentcaller": "0x0054a7e2",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x03069598",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\malware"
},
{
"name": "FirstCreateTimeLow",
"value": "0x3ff7b2fa"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dcb1f1"
}
],
"repeated": 0,
"id": 57
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00553223",
"parentcaller": "0x0054a7e2",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000250"
}
],
"repeated": 0,
"id": 58
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0055320a",
"parentcaller": "0x0054a7e2",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x03069098",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData"
},
{
"name": "FirstCreateTimeLow",
"value": "0x3ffedbdf"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dcb1f1"
}
],
"repeated": 0,
"id": 59
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00553223",
"parentcaller": "0x0054a7e2",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000250"
}
],
"repeated": 0,
"id": 60
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0055320a",
"parentcaller": "0x0054a7e2",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x03069098",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local"
},
{
"name": "FirstCreateTimeLow",
"value": "0x4003a527"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dcb1f1"
}
],
"repeated": 0,
"id": 61
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00553223",
"parentcaller": "0x0054a7e2",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000250"
}
],
"repeated": 0,
"id": 62
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0055320a",
"parentcaller": "0x0054a7e2",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x03068fd8",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp"
},
{
"name": "FirstCreateTimeLow",
"value": "0x4003a527"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dcb1f1"
}
],
"repeated": 0,
"id": 63
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00553223",
"parentcaller": "0x0054a7e2",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000250"
}
],
"repeated": 0,
"id": 64
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0054a80c",
"parentcaller": "0x00552c30",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp"
}
],
"repeated": 0,
"id": 65
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00552c30",
"parentcaller": "0x0054a254",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x030a9000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 66
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0054c97e",
"parentcaller": "0x00552c30",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x030aa000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 67
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0055330e",
"parentcaller": "0x00552c30",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x03098000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 68
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00552c42",
"parentcaller": "0x0054a254",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x03098000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 69
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x00552c42",
"parentcaller": "0x0054a254",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x03088000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 70
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0054fefe",
"parentcaller": "0x0054a274",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x03088000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 71
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0054ff75",
"parentcaller": "0x0054a274",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x03088000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 72
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0054a303",
"parentcaller": "0x00553a2b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xb4\\x05bw\\xd0\\xfb\\xf7\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x04\\xfb\\xf7\\x02\\xd8\\xfb\\xf7\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 73
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "10"
},
{
"name": "TokenInformation",
"value": "\\xcc\\xe9\\x14\\x00\\x00\\x00\\x00\\x00n\\xdb\\x03\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xe4\\x96\\x14\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 74
},
{
"timestamp": "2026-03-12 10:00:23,103",
"thread_id": "3820",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "1"
},
{
"name": "TokenInformation",
"value": "\\xf0\\xf1\\x06\\x03\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xa5\\x91\\xba)*\\xb2\\xbc\\x01/\\x0f\\xf7\\x13\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 75
},
{
"timestamp": "2026-03-12 10:00:23,118",
"thread_id": "3820",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "__notification__",
"api": "sysenter",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadIdentifier",
"value": "3820"
},
{
"name": "Module",
"value": "KERNELBASE.dll"
},
{
"name": "Return Address",
"value": "0x76581d9c"
}
],
"repeated": 0,
"id": 76
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000240"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
}
],
"repeated": 0,
"id": 77
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000240"
},
{
"name": "ValueName",
"value": "en-US"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US"
}
],
"repeated": 0,
"id": 78
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000240"
}
],
"repeated": 0,
"id": 79
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000240"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
}
],
"repeated": 0,
"id": 80
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000240"
},
{
"name": "ValueName",
"value": "en-US"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
}
],
"repeated": 0,
"id": 81
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000240"
}
],
"repeated": 0,
"id": 82
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "system",
"api": "GetUserDefaultLCID",
"status": true,
"return": "0x00000409",
"arguments": [
{
"name": "SystemDefaultLangID",
"value": "0x00000409"
},
{
"name": "LanguageName",
"value": "English (United States)"
}
],
"repeated": 0,
"id": 83
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054a341",
"parentcaller": "0x00553a2b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xff\\x07\\x00\\x00X\\xfb\\xf7\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xef\\x00\\x00\\x00`\\xfb\\xf7\\x02\\x00\\x00\\x00\\x00\\x08\\x02\\x00\\x00`\\xf0*wp\\xa8\n\\x03\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 84
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054a411",
"parentcaller": "0x00553a2b",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76c80000"
}
],
"repeated": 0,
"id": 85
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054a422",
"parentcaller": "0x00553a2b",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76c80000"
},
{
"name": "FunctionName",
"value": "CopyFileExW"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76caf600"
}
],
"repeated": 0,
"id": 86
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054a438",
"parentcaller": "0x00553a2b",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76c80000"
},
{
"name": "FunctionName",
"value": "IsDebuggerPresent"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76c9da00"
}
],
"repeated": 0,
"id": 87
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054a449",
"parentcaller": "0x00553a2b",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76c80000"
},
{
"name": "FunctionName",
"value": "SetConsoleInputExeNameW"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76626aa0"
}
],
"repeated": 0,
"id": 88
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054a465",
"parentcaller": "0x00553a2b",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x03074000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 89
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054fefe",
"parentcaller": "0x0054fc1d",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x03088000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 90
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054ff75",
"parentcaller": "0x0054fc1d",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x03088000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 91
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x005507f6",
"parentcaller": "0x00553ae3",
"category": "system",
"api": "FindFixAndRun",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Command",
"value": "start"
},
{
"name": "Arguments",
"value": " /wait \"\" \"C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat\""
}
],
"repeated": 0,
"id": 92
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054d1cc",
"parentcaller": "0x005507f6",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xf8\\xf6\\xf7\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xe1\\x00\\x00\\x00\\x00\\xf7\\xf7\\x02\\x00\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\xb0\\xee\\x00\\x06\\xd8\\xf9\\xf7\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 93
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x03088000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 94
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054d14e",
"parentcaller": "0x0054d222",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x03098000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 95
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x03098000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 96
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x03074000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 97
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x030ab000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 98
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x030b0000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 99
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x030b5000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 100
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x030ba000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 101
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x030bf000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 102
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x030c4000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 103
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054fefe",
"parentcaller": "0x00557487",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x030d4000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 104
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x00555004",
"parentcaller": "0x00551ba3",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "12"
},
{
"name": "ProcessInformation",
"value": "\\x01\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 105
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0055500e",
"parentcaller": "0x00551ba3",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "12"
},
{
"name": "ProcessInformation",
"value": "\\x00\\x00\\x00\\x00"
}
],
"repeated": 1,
"id": 106
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x00559fff",
"parentcaller": "0x0054b613",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x030694d8",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FirstCreateTimeLow",
"value": "0xdd8a00ae"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dcb206"
}
],
"repeated": 0,
"id": 107
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x0054a4cf",
"parentcaller": "0x00551f4d",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000240"
}
],
"repeated": 0,
"id": 108
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x005522e5",
"parentcaller": "0x00557487",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x030d3000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 109
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x005522e5",
"parentcaller": "0x00557487",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x030c3000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 110
},
{
"timestamp": "2026-03-12 10:00:23,165",
"thread_id": "3820",
"caller": "0x005577dd",
"parentcaller": "0x00559e70",
"category": "process",
"api": "NtCreateUserProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0x00000234"
},
{
"name": "ThreadHandle",
"value": "0x0000023c"
},
{
"name": "ProcessDesiredAccess",
"value": "0x02000000"
},
{
"name": "ThreadDesiredAccess",
"value": "0x02000000"
},
{
"name": "ProcessFileName",
"value": ""
},
{
"name": "ThreadName",
"value": ""
},
{
"name": "ImagePathName",
"value": "C:\\Windows\\system32\\cmd.exe"
},
{
"name": "CommandLine",
"value": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat\""
},
{
"name": "DllPath",
"value": ""
},
{
"name": "ProcessId",
"value": "5732"
}
],
"repeated": 0,
"id": 111
},
{
"timestamp": "2026-03-12 10:00:23,228",
"thread_id": "3820",
"caller": "0x005577dd",
"parentcaller": "0x00559e70",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "BaseAddress",
"value": "0x77590000"
}
],
"repeated": 0,
"id": 112
},
{
"timestamp": "2026-03-12 10:00:23,228",
"thread_id": "3820",
"caller": "0x005577dd",
"parentcaller": "0x00559e70",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "KernelBase"
},
{
"name": "BaseAddress",
"value": "0x76430000"
}
],
"repeated": 0,
"id": 113
},
{
"timestamp": "2026-03-12 10:00:23,243",
"thread_id": "3820",
"caller": "0x005577dd",
"parentcaller": "0x00559e70",
"category": "__notification__",
"api": "sysenter",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadIdentifier",
"value": "3820"
},
{
"name": "Module",
"value": "KERNELBASE.dll"
},
{
"name": "Return Address",
"value": "0x76581dcc"
}
],
"repeated": 0,
"id": 114
},
{
"timestamp": "2026-03-12 10:00:23,243",
"thread_id": "3820",
"caller": "0x005577dd",
"parentcaller": "0x00559e70",
"category": "process",
"api": "CreateProcessW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ApplicationName",
"value": "C:\\Windows\\system32\\cmd.exe"
},
{
"name": "CommandLine",
"value": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat\""
},
{
"name": "CreationFlags",
"value": "0x00080410"
},
{
"name": "ProcessId",
"value": "5732"
},
{
"name": "ThreadId",
"value": "6772"
},
{
"name": "ParentHandle",
"value": "0xffffffff"
},
{
"name": "ProcessHandle",
"value": "0x00000234"
},
{
"name": "ThreadHandle",
"value": "0x0000023c"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 115
},
{
"timestamp": "2026-03-12 10:00:23,243",
"thread_id": "3820",
"caller": "0x005578ec",
"parentcaller": "0x00559e70",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000023c"
}
],
"repeated": 0,
"id": 116
},
{
"timestamp": "2026-03-12 10:00:23,243",
"thread_id": "3820",
"caller": "0x005497b2",
"parentcaller": "0x00557997",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000234"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 0,
"id": 117
},
{
"timestamp": "2026-03-12 10:01:22,212",
"thread_id": "3088",
"caller": "0x775fe5d6",
"parentcaller": "0x775cf563",
"category": "threading",
"api": "NtQueryInformationThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0xfffffffe"
},
{
"name": "ThreadInformationClass",
"value": "12"
},
{
"name": "ThreadInformation",
"value": "\\x00\\x00\\x00\\x00"
},
{
"name": "ThreadId",
"value": "3088"
}
],
"repeated": 0,
"id": 118
},
{
"timestamp": "2026-03-12 10:01:22,212",
"thread_id": "3088",
"caller": "0x775fe5f9",
"parentcaller": "0x775cf563",
"category": "threading",
"api": "NtTerminateThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000000"
},
{
"name": "ExitStatus",
"value": "0x00000000"
},
{
"name": "ThreadId",
"value": "0"
},
{
"name": "ProcessId",
"value": "0"
}
],
"repeated": 0,
"id": 119
},
{
"timestamp": "2026-03-12 10:01:22,212",
"thread_id": "2208",
"caller": "0x775fe5d6",
"parentcaller": "0x775cf563",
"category": "threading",
"api": "NtQueryInformationThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0xfffffffe"
},
{
"name": "ThreadInformationClass",
"value": "12"
},
{
"name": "ThreadInformation",
"value": "\\x00\\x00\\x00\\x00"
},
{
"name": "ThreadId",
"value": "2208"
}
],
"repeated": 0,
"id": 120
},
{
"timestamp": "2026-03-12 10:01:22,212",
"thread_id": "2208",
"caller": "0x775fe5f9",
"parentcaller": "0x775cf563",
"category": "threading",
"api": "NtTerminateThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000000"
},
{
"name": "ExitStatus",
"value": "0x00000000"
},
{
"name": "ThreadId",
"value": "0"
},
{
"name": "ProcessId",
"value": "0"
}
],
"repeated": 0,
"id": 121
}
],
"threads": [
"3820",
"5080",
"4164",
"2316",
"6272",
"3088",
"2208"
],
"environ": {
"UserName": "malware",
"ComputerName": "DESKTOP-21H4T4T",
"WindowsPath": "C:\\Windows",
"TempPath": "C:\\Users\\malware\\AppData\\Local\\Temp\\",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat\"",
"RegisteredOwner": "",
"RegisteredOrganization": "",
"ProductName": "",
"SystemVolumeSerialNumber": "d00a-3b77",
"SystemVolumeGUID": "6b93884e-0000-0000-0000-500600000000",
"MachineGUID": "",
"MainExeBase": "0x00540000",
"MainExeSize": "0x0005b000",
"Bitness": "32-bit"
},
"file_activities": {
"read_files": [],
"write_files": [],
"delete_files": []
}
},
{
"process_id": 5732,
"process_name": "cmd.exe",
"parent_id": 4136,
"module_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"first_seen": "2026-03-12 10:00:23,495",
"calls": [
{
"timestamp": "2026-03-12 10:00:23,636",
"thread_id": "6772",
"caller": "0x7761cd89",
"parentcaller": "0x7764273a",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000254"
},
{
"name": "DesiredAccess",
"value": "0x00000001",
"pretty_value": "KEY_QUERY_VALUE"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\MACHINE\\System\\CurrentControlSet\\Control\\Session Manager"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager"
}
],
"repeated": 0,
"id": 0
},
{
"timestamp": "2026-03-12 10:00:23,636",
"thread_id": "6772",
"caller": "0x7761ce26",
"parentcaller": "0x7761cd9f",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000254"
},
{
"name": "ValueName",
"value": "SmtDelaySleepLoopWindowSize"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelaySleepLoopWindowSize"
}
],
"repeated": 0,
"id": 1
},
{
"timestamp": "2026-03-12 10:00:23,636",
"thread_id": "6772",
"caller": "0x7761ce26",
"parentcaller": "0x7761cdb1",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000254"
},
{
"name": "ValueName",
"value": "SmtDelaySpinCountThreshold"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelaySpinCountThreshold"
}
],
"repeated": 0,
"id": 2
},
{
"timestamp": "2026-03-12 10:00:23,636",
"thread_id": "6772",
"caller": "0x7761ce26",
"parentcaller": "0x7761cdc3",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000254"
},
{
"name": "ValueName",
"value": "SmtDelayBaseYield"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelayBaseYield"
}
],
"repeated": 0,
"id": 3
},
{
"timestamp": "2026-03-12 10:00:23,636",
"thread_id": "6772",
"caller": "0x7761ce26",
"parentcaller": "0x7761cdd5",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000254"
},
{
"name": "ValueName",
"value": "SmtFactorYield"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtFactorYield"
}
],
"repeated": 0,
"id": 4
},
{
"timestamp": "2026-03-12 10:00:23,636",
"thread_id": "6772",
"caller": "0x7761ce26",
"parentcaller": "0x7761cde7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000254"
},
{
"name": "ValueName",
"value": "SmtDelayMaxYield"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelayMaxYield"
}
],
"repeated": 0,
"id": 5
},
{
"timestamp": "2026-03-12 10:00:23,636",
"thread_id": "6772",
"caller": "0x7761cdf5",
"parentcaller": "0x7764273a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000254"
}
],
"repeated": 0,
"id": 6
},
{
"timestamp": "2026-03-12 10:00:23,636",
"thread_id": "6772",
"caller": "0x775edf9b",
"parentcaller": "0x7761cba3",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 7
},
{
"timestamp": "2026-03-12 10:00:23,636",
"thread_id": "6772",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 8
},
{
"timestamp": "2026-03-12 10:00:23,636",
"thread_id": "6800",
"caller": "0x775d2c5f",
"parentcaller": "0x775d6be4",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000090"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 3,
"id": 9
},
{
"timestamp": "2026-03-12 10:00:23,636",
"thread_id": "3164",
"caller": "0x7656e91e",
"parentcaller": "0x7656e82e",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xf0\\x19\\x06\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf0\\x19\\x06\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 10
},
{
"timestamp": "2026-03-12 10:00:23,636",
"thread_id": "3164",
"caller": "0x775edf9b",
"parentcaller": "0x7761cba3",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 11
},
{
"timestamp": "2026-03-12 10:00:23,636",
"thread_id": "3164",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 12
},
{
"timestamp": "2026-03-12 10:00:23,636",
"thread_id": "6800",
"caller": "0x7656e91e",
"parentcaller": "0x7656e82e",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x03\\xc4\\x03\\x00\\x98\\xef\\x05\\x06\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x94\\x01\\xa0\\xef\\x05\\x06\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 13
},
{
"timestamp": "2026-03-12 10:00:23,636",
"thread_id": "6800",
"caller": "0x775edf9b",
"parentcaller": "0x7761cba3",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 14
},
{
"timestamp": "2026-03-12 10:00:23,636",
"thread_id": "6800",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 15
},
{
"timestamp": "2026-03-12 10:00:23,636",
"thread_id": "2516",
"caller": "0x7656e91e",
"parentcaller": "0x7656e82e",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x03\\xc4\\x03\\x00p\\xef\\xf5\\x05\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x94\\x01x\\xef\\xf5\\x05\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 16
},
{
"timestamp": "2026-03-12 10:00:23,652",
"thread_id": "2516",
"caller": "0x775edf9b",
"parentcaller": "0x7761cba3",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 17
},
{
"timestamp": "2026-03-12 10:00:23,652",
"thread_id": "2516",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 18
},
{
"timestamp": "2026-03-12 10:00:23,652",
"thread_id": "1520",
"caller": "0x7656e91e",
"parentcaller": "0x7656e82e",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x03\\xc4\\x03\\x00\\xb0\\xf3\\xe5\\x05\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x94\\x01\\xb8\\xf3\\xe5\\x05\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 19
},
{
"timestamp": "2026-03-12 10:00:23,652",
"thread_id": "1520",
"caller": "0x775edf9b",
"parentcaller": "0x7761cba3",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 20
},
{
"timestamp": "2026-03-12 10:00:23,652",
"thread_id": "1520",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 21
},
{
"timestamp": "2026-03-12 10:00:23,652",
"thread_id": "6772",
"caller": "0x005539b4",
"parentcaller": "0x0055bce2",
"category": "threading",
"api": "NtOpenThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000254"
},
{
"name": "DesiredAccess",
"value": "0x001fffff",
"pretty_value": "THREAD_ALL_ACCESS"
},
{
"name": "ProcessId",
"value": "5732"
},
{
"name": "ThreadId",
"value": "18446744073685499903"
}
],
"repeated": 0,
"id": 22
},
{
"timestamp": "2026-03-12 10:00:23,652",
"thread_id": "6772",
"caller": "0x005505a0",
"parentcaller": "0x0055bce2",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76c80000"
}
],
"repeated": 0,
"id": 23
},
{
"timestamp": "2026-03-12 10:00:23,652",
"thread_id": "6772",
"caller": "0x005505c0",
"parentcaller": "0x0055bce2",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76c80000"
},
{
"name": "FunctionName",
"value": "SetThreadUILanguage"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76cb1f50"
}
],
"repeated": 0,
"id": 24
},
{
"timestamp": "2026-03-12 10:00:23,652",
"thread_id": "6772",
"caller": "0x00550589",
"parentcaller": "0x0055bce2",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x004\\xfb\\xaf\\x02\\x00\\xfc\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xfc\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 25
},
{
"timestamp": "2026-03-12 10:00:23,652",
"thread_id": "6772",
"caller": "0x005539e6",
"parentcaller": "0x0055bce2",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 26
},
{
"timestamp": "2026-03-12 10:00:23,652",
"thread_id": "6772",
"caller": "0x005539e6",
"parentcaller": "0x0055bce2",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "1"
},
{
"name": "TokenInformation",
"value": "8\\xfd\\xaf\\x02\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xa5\\x91\\xba)*\\xb2\\xbc\\x01/\\x0f\\xf7\\x13\\xe9\\x03\\x00\\x00\\xe2\\xbcU\\x00\\x98\\xfd\\xaf\\x026\\xe1es\\xa0\t\\x85s\\x8c\\xac\\x8dsd\\x92\\xcc\\x04x\\xaa\\x87s\\xe8\\xfd\\xaf\\x02,\\xff\\xaf\\x02X\\xfd\\xaf\\x02\\x89\\xd5\\xf5\\x00"
}
],
"repeated": 0,
"id": 27
},
{
"timestamp": "2026-03-12 10:00:23,652",
"thread_id": "6772",
"caller": "0x005539e6",
"parentcaller": "0x0055bce2",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000024c"
},
{
"name": "DesiredAccess",
"value": "0x02000000",
"pretty_value": "MAXIMUM_ALLOWED"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\REGISTRY\\USER\\S-1-5-21-700092837-29143594-334958383-1001"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER"
}
],
"repeated": 0,
"id": 28
},
{
"timestamp": "2026-03-12 10:00:23,652",
"thread_id": "6772",
"caller": "0x005539e6",
"parentcaller": "0x0055bce2",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 29
},
{
"timestamp": "2026-03-12 10:00:23,652",
"thread_id": "6772",
"caller": "0x005539e6",
"parentcaller": "0x0055bce2",
"category": "registry",
"api": "NtOpenKeyEx",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x0000024c"
},
{
"name": "ObjectAttributesName",
"value": "Software\\Policies\\Microsoft\\Windows\\System"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System"
}
],
"repeated": 0,
"id": 30
},
{
"timestamp": "2026-03-12 10:00:23,652",
"thread_id": "6772",
"caller": "0x005552da",
"parentcaller": "0x0055bce2",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\x00\\x00\\x00x\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xe8\\x1eT\\x00\\x80\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 31
},
{
"timestamp": "2026-03-12 10:00:23,652",
"thread_id": "6772",
"caller": "0x0054a189",
"parentcaller": "0x00553a2b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00@\\xe2zs\\x00\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x1e\\xe9Vv\\x08\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 32
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x0054a19d",
"parentcaller": "0x00553a2b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00@\\xe2zs\\x00\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x1e\\xe9Vv\\x08\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 33
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x005505fc",
"parentcaller": "0x00553a2b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xf8\\xfd\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 2,
"id": 34
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00550642",
"parentcaller": "0x00553a2b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xf8\\xfd\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 1,
"id": 35
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00553a2b",
"parentcaller": "0x0055bce2",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dc0000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 36
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x0054c97e",
"parentcaller": "0x00553a2b",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dc1000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 37
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x0054c97e",
"parentcaller": "0x00553a2b",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dc2000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 38
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00549ab7",
"parentcaller": "0x0054a1bd",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 39
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00549ab7",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtOpenKeyEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000258"
},
{
"name": "DesiredAccess",
"value": "0x02000000",
"pretty_value": "MAXIMUM_ALLOWED"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000158"
},
{
"name": "ObjectAttributesName",
"value": "Software\\Microsoft\\Command Processor"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
}
],
"repeated": 0,
"id": 40
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00549af6",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000258"
},
{
"name": "ValueName",
"value": "DisableUNCCheck"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DisableUNCCheck"
}
],
"repeated": 0,
"id": 41
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00549b66",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000258"
},
{
"name": "ValueName",
"value": "EnableExtensions"
},
{
"name": "Type",
"value": "4",
"pretty_value": "REG_DWORD"
},
{
"name": "Information",
"value": "1"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\EnableExtensions"
}
],
"repeated": 0,
"id": 42
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00549bd6",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000258"
},
{
"name": "ValueName",
"value": "DelayedExpansion"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DelayedExpansion"
}
],
"repeated": 0,
"id": 43
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00549c46",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000258"
},
{
"name": "ValueName",
"value": "DefaultColor"
},
{
"name": "Type",
"value": "4",
"pretty_value": "REG_DWORD"
},
{
"name": "Information",
"value": "0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DefaultColor"
}
],
"repeated": 0,
"id": 44
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00549cae",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000258"
},
{
"name": "ValueName",
"value": "CompletionChar"
},
{
"name": "Type",
"value": "4",
"pretty_value": "REG_DWORD"
},
{
"name": "Information",
"value": "9"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\CompletionChar"
}
],
"repeated": 0,
"id": 45
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00549d3f",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000258"
},
{
"name": "ValueName",
"value": "PathCompletionChar"
},
{
"name": "Type",
"value": "4",
"pretty_value": "REG_DWORD"
},
{
"name": "Information",
"value": "9"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\PathCompletionChar"
}
],
"repeated": 0,
"id": 46
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00549e0f",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000258"
},
{
"name": "ValueName",
"value": "AutoRun"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\AutoRun"
}
],
"repeated": 0,
"id": 47
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00549e89",
"parentcaller": "0x0054a1bd",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000258"
}
],
"repeated": 0,
"id": 48
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00549ab7",
"parentcaller": "0x0054a1bd",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 49
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00549ab7",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtOpenKeyEx",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x02000000",
"pretty_value": "MAXIMUM_ALLOWED"
},
{
"name": "ObjectAttributesHandle",
"value": "0x0000024c"
},
{
"name": "ObjectAttributesName",
"value": "Software\\Microsoft\\Command Processor"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor"
}
],
"repeated": 0,
"id": 50
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00549ab7",
"parentcaller": "0x0054a1bd",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 51
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00549ab7",
"parentcaller": "0x0054a1bd",
"category": "registry",
"api": "NtOpenKeyEx",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x02000000",
"pretty_value": "MAXIMUM_ALLOWED"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000158"
},
{
"name": "ObjectAttributesName",
"value": "System\\Software\\Microsoft\\Command Processor"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\Software\\Microsoft\\Command Processor"
}
],
"repeated": 0,
"id": 52
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00549e9a",
"parentcaller": "0x0054a1bd",
"category": "system",
"api": "GetSystemTimeAsFileTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 53
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dc3000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 54
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dc8000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 55
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd8000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 56
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02de8000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 57
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x0054a7b6",
"parentcaller": "0x00552c30",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp"
}
],
"repeated": 0,
"id": 58
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x0055320a",
"parentcaller": "0x0054a7e2",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x02db9230",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users"
},
{
"name": "FirstCreateTimeLow",
"value": "0xbb4eff2e"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01d861d1"
}
],
"repeated": 0,
"id": 59
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x00553223",
"parentcaller": "0x0054a7e2",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000258"
}
],
"repeated": 0,
"id": 60
},
{
"timestamp": "2026-03-12 10:00:23,667",
"thread_id": "6772",
"caller": "0x0055320a",
"parentcaller": "0x0054a7e2",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x02db9670",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\malware"
},
{
"name": "FirstCreateTimeLow",
"value": "0x3ff7b2fa"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dcb1f1"
}
],
"repeated": 0,
"id": 61
},
{
"timestamp": "2026-03-12 10:00:23,683",
"thread_id": "6772",
"caller": "0x00553223",
"parentcaller": "0x0054a7e2",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000258"
}
],
"repeated": 0,
"id": 62
},
{
"timestamp": "2026-03-12 10:00:23,683",
"thread_id": "6772",
"caller": "0x0055320a",
"parentcaller": "0x0054a7e2",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x02db90b0",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData"
},
{
"name": "FirstCreateTimeLow",
"value": "0x3ffedbdf"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dcb1f1"
}
],
"repeated": 0,
"id": 63
},
{
"timestamp": "2026-03-12 10:00:23,683",
"thread_id": "6772",
"caller": "0x00553223",
"parentcaller": "0x0054a7e2",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000258"
}
],
"repeated": 0,
"id": 64
},
{
"timestamp": "2026-03-12 10:00:23,683",
"thread_id": "6772",
"caller": "0x0055320a",
"parentcaller": "0x0054a7e2",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x02db96b0",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local"
},
{
"name": "FirstCreateTimeLow",
"value": "0x4003a527"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dcb1f1"
}
],
"repeated": 0,
"id": 65
},
{
"timestamp": "2026-03-12 10:00:23,683",
"thread_id": "6772",
"caller": "0x00553223",
"parentcaller": "0x0054a7e2",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000258"
}
],
"repeated": 0,
"id": 66
},
{
"timestamp": "2026-03-12 10:00:23,683",
"thread_id": "6772",
"caller": "0x0055320a",
"parentcaller": "0x0054a7e2",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x02db95b0",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp"
},
{
"name": "FirstCreateTimeLow",
"value": "0x4003a527"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dcb1f1"
}
],
"repeated": 0,
"id": 67
},
{
"timestamp": "2026-03-12 10:00:23,683",
"thread_id": "6772",
"caller": "0x00553223",
"parentcaller": "0x0054a7e2",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000258"
}
],
"repeated": 0,
"id": 68
},
{
"timestamp": "2026-03-12 10:00:23,683",
"thread_id": "6772",
"caller": "0x0054a80c",
"parentcaller": "0x00552c30",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp"
}
],
"repeated": 0,
"id": 69
},
{
"timestamp": "2026-03-12 10:00:23,683",
"thread_id": "6772",
"caller": "0x0055330e",
"parentcaller": "0x00552c30",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02de7000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 70
},
{
"timestamp": "2026-03-12 10:00:23,683",
"thread_id": "6772",
"caller": "0x00552c42",
"parentcaller": "0x0054a254",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02de7000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 71
},
{
"timestamp": "2026-03-12 10:00:23,683",
"thread_id": "6772",
"caller": "0x00552c42",
"parentcaller": "0x0054a254",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 72
},
{
"timestamp": "2026-03-12 10:00:23,683",
"thread_id": "6772",
"caller": "0x0054fefe",
"parentcaller": "0x0054a274",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 73
},
{
"timestamp": "2026-03-12 10:00:23,683",
"thread_id": "6772",
"caller": "0x0054a303",
"parentcaller": "0x00553a2b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xb4\\x05bw\\x08\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 74
},
{
"timestamp": "2026-03-12 10:00:23,683",
"thread_id": "6772",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "10"
},
{
"name": "TokenInformation",
"value": "\\xa89\\x15\\x00\\x00\\x00\\x00\\x00n\\xdb\\x03\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xe4\\x96\\x14\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 75
},
{
"timestamp": "2026-03-12 10:00:23,683",
"thread_id": "6772",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "1"
},
{
"name": "TokenInformation",
"value": "H\\x96\\xda\\x02\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xa5\\x91\\xba)*\\xb2\\xbc\\x01/\\x0f\\xf7\\x13\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 76
},
{
"timestamp": "2026-03-12 10:00:23,699",
"thread_id": "6772",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "__notification__",
"api": "sysenter",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadIdentifier",
"value": "6772"
},
{
"name": "Module",
"value": "KERNELBASE.dll"
},
{
"name": "Return Address",
"value": "0x76581d9c"
}
],
"repeated": 0,
"id": 77
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000258"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
}
],
"repeated": 0,
"id": 78
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000258"
},
{
"name": "ValueName",
"value": "en-US"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US"
}
],
"repeated": 0,
"id": 79
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000258"
}
],
"repeated": 0,
"id": 80
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000258"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
}
],
"repeated": 0,
"id": 81
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000258"
},
{
"name": "ValueName",
"value": "en-US"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
}
],
"repeated": 0,
"id": 82
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000258"
}
],
"repeated": 0,
"id": 83
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054a0e3",
"parentcaller": "0x0054a319",
"category": "system",
"api": "GetUserDefaultLCID",
"status": true,
"return": "0x00000409",
"arguments": [
{
"name": "SystemDefaultLangID",
"value": "0x00000409"
},
{
"name": "LanguageName",
"value": "English (United States)"
}
],
"repeated": 0,
"id": 84
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054a341",
"parentcaller": "0x00553a2b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xff\\x07\\x00\\x00\\x90\\xfd\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00(\\x01\\x00\\x00\\x98\\xfd\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x02\\x00\\x00`\\xf0*w\\xa8\n\\xdc\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 85
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054b4f2",
"parentcaller": "0x0054a35f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xa0\n\\xdc\\x02\\xe8\\xfd\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00(\\x01\\x00\\x00\\xf0\\xfd\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 86
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054a382",
"parentcaller": "0x00553a2b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x01@\\xfd\\xaf\\x02\\x00\\x00\\x00\\x00\\\\x00\\x00\\x00\\xb0\\xfd\\xaf\\x02H\\xfd\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 87
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054a411",
"parentcaller": "0x00553a2b",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76c80000"
}
],
"repeated": 0,
"id": 88
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054a422",
"parentcaller": "0x00553a2b",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76c80000"
},
{
"name": "FunctionName",
"value": "CopyFileExW"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76caf600"
}
],
"repeated": 0,
"id": 89
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054a438",
"parentcaller": "0x00553a2b",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76c80000"
},
{
"name": "FunctionName",
"value": "IsDebuggerPresent"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76c9da00"
}
],
"repeated": 0,
"id": 90
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054a449",
"parentcaller": "0x00553a2b",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76c80000"
},
{
"name": "FunctionName",
"value": "SetConsoleInputExeNameW"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76626aa0"
}
],
"repeated": 0,
"id": 91
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054a465",
"parentcaller": "0x00553a2b",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02de3000"
},
{
"name": "RegionSize",
"value": "0x00013000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 92
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054a465",
"parentcaller": "0x00553a2b",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 93
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054a465",
"parentcaller": "0x00553a2b",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dc3000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 94
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054fefe",
"parentcaller": "0x0054fc1d",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 95
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054ff75",
"parentcaller": "0x0054fc1d",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 96
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x005507f6",
"parentcaller": "0x00553ae3",
"category": "system",
"api": "FindFixAndRun",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Command",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "Arguments",
"value": ""
}
],
"repeated": 0,
"id": 97
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054d1cc",
"parentcaller": "0x005507f6",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00$\\x00\\x00\\x000\\xf9\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x80\\x00\\x00\\x008\\xf9\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\x00\\xc4\\xbd\\x02\\x10\\xfc\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 98
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02de3000"
},
{
"name": "RegionSize",
"value": "0x00013000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 99
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02df8000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 100
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054957c",
"parentcaller": "0x0054d504",
"category": "misc",
"api": "RtlDosPathNameToNtPathName_U",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "DosFileName",
"value": "C:\\"
}
],
"repeated": 0,
"id": 101
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054957c",
"parentcaller": "0x0054d504",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000258"
},
{
"name": "DesiredAccess",
"value": "0x00100000",
"pretty_value": "SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\"
},
{
"name": "ShareAccess",
"value": "3",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
}
],
"repeated": 0,
"id": 102
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054957c",
"parentcaller": "0x0054d504",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000258"
},
{
"name": "HandleName",
"value": "C:\\"
},
{
"name": "FileInformationClass",
"value": "9",
"pretty_value": "FileNameInformation"
},
{
"name": "FileInformation",
"value": "\\x02\\x00\\x00\\x00\\\\x00"
}
],
"repeated": 0,
"id": 103
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054957c",
"parentcaller": "0x0054d504",
"category": "filesystem",
"api": "GetVolumeInformationByHandleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "Handle",
"value": "0x00000258"
},
{
"name": "VolumeName",
"value": ""
},
{
"name": "VolumeSerial",
"value": "0xd00a3b77"
}
],
"repeated": 0,
"id": 104
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054957c",
"parentcaller": "0x0054d504",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000258"
}
],
"repeated": 0,
"id": 105
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x005495b1",
"parentcaller": "0x0054d504",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e07000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 106
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x005495b1",
"parentcaller": "0x0054d504",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02df7000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 107
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054fefe",
"parentcaller": "0x00549861",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02df7000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 108
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054fefe",
"parentcaller": "0x0054990f",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e18000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 109
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x00555004",
"parentcaller": "0x00551ba3",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "12"
},
{
"name": "ProcessInformation",
"value": "\\x01\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 110
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0055500e",
"parentcaller": "0x00551ba3",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "12"
},
{
"name": "ProcessInformation",
"value": "\\x00\\x00\\x00\\x00"
}
],
"repeated": 1,
"id": 111
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x00559fff",
"parentcaller": "0x0054b613",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x02db90b0",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FirstCreateTimeLow",
"value": "0xdd8a00ae"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dcb206"
}
],
"repeated": 0,
"id": 112
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0054a4cf",
"parentcaller": "0x00551f4d",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000258"
}
],
"repeated": 0,
"id": 113
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x005522e5",
"parentcaller": "0x0054990f",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e17000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 114
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x005522e5",
"parentcaller": "0x0054990f",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e07000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 115
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x00549983",
"parentcaller": "0x00549861",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\r\\x00\\x00\\x00\\xc8\\xf6\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xe0\\xff\\x03\\x00\\xd0\\xf6\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x84\\xf7\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 116
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x005631b5",
"parentcaller": "0x0054998a",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00 ,\\xda\\x02\\xa8\\xf6\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00 \\x02\\x00\\x00\\xb0\\xf6\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x02\\x00\\x00e\\x00\\x00\\x00\\xc8\\x0c\\xdc\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 117
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e07000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 118
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "threading",
"api": "NtQueryInformationThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0xfffffffe"
},
{
"name": "ThreadInformationClass",
"value": "42"
},
{
"name": "ThreadInformation",
"value": "\\x00\\x00\\x00\\x00"
},
{
"name": "ThreadId",
"value": "6772"
}
],
"repeated": 0,
"id": 119
},
{
"timestamp": "2026-03-12 10:00:23,714",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "process",
"api": "NtOpenSection",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x0000000d"
},
{
"name": "ObjectAttributes",
"value": "cmdext.dll"
}
],
"repeated": 0,
"id": 120
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\cmdext.dll"
}
],
"repeated": 0,
"id": 121
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000025c"
},
{
"name": "DesiredAccess",
"value": "0x00100021",
"pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\cmdext.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 122
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000258"
},
{
"name": "DesiredAccess",
"value": "0x0000000d",
"pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x0000025c"
},
{
"name": "FileName",
"value": "C:\\Windows\\SysWOW64\\cmdext.dll"
}
],
"repeated": 0,
"id": 123
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000248"
},
{
"name": "DesiredAccess",
"value": "0x00020119",
"pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Srp\\GP\\"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Srp\\GP\\"
}
],
"repeated": 0,
"id": 124
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000248"
},
{
"name": "ValueName",
"value": "RuleCount"
},
{
"name": "Type",
"value": "4",
"pretty_value": "REG_DWORD"
},
{
"name": "Information",
"value": "2"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\Gp\\RuleCount"
}
],
"repeated": 0,
"id": 125
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000248"
}
],
"repeated": 0,
"id": 126
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000248"
},
{
"name": "DesiredAccess",
"value": "0x00000001",
"pretty_value": "FILE_READ_ACCESS"
},
{
"name": "FileName",
"value": "\\Device\\SrpDevice"
},
{
"name": "ShareAccess",
"value": "7",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 127
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000248"
},
{
"name": "HandleName",
"value": "\\Device\\SrpDevice"
},
{
"name": "IoControlCode",
"value": "0x00225804"
},
{
"name": "InputBuffer",
"value": "\\\\x02\\x00\\x00\\x00\\x00\\x00\\x00D\\x00\\\\x00?\\x00?\\x00\\\\x00C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00Y\\x00S\\x00T\\x00E\\x00M\\x003\\x002\\x00\\\\x00c\\x00m\\x00d\\x00e\\x00x\\x00t\\x00.\\x00d\\x00l\\x00l\\x00"
},
{
"name": "OutputBuffer",
"value": "\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 128
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000248"
}
],
"repeated": 0,
"id": 129
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000258"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73620000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x0000d000"
},
{
"name": "Win32Protect",
"value": "0x00000080",
"pretty_value": "PAGE_EXECUTE_WRITECOPY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 130
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7362a000"
},
{
"name": "ModuleName",
"value": "cmdext.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 131
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73629000"
},
{
"name": "ModuleName",
"value": "cmdext.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 132
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73629000"
},
{
"name": "ModuleName",
"value": "cmdext.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 133
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x776c1000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 134
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x776c1000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 135
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73629000"
},
{
"name": "ModuleName",
"value": "cmdext.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 136
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000258"
}
],
"repeated": 0,
"id": 137
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000025c"
}
],
"repeated": 0,
"id": 138
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73629000"
},
{
"name": "ModuleName",
"value": "cmdext.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 139
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\cmdext"
},
{
"name": "DllBase",
"value": "0x73620000"
}
],
"repeated": 0,
"id": 140
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\cmdext"
},
{
"name": "BaseAddress",
"value": "0x73620000"
},
{
"name": "InitRoutine",
"value": "0x73622280"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 141
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x0058e000"
},
{
"name": "ModuleName",
"value": "cmd.exe"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 142
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x0055b8b9",
"parentcaller": "0x0055cf1e",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x0058e000"
},
{
"name": "ModuleName",
"value": "cmd.exe"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 143
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7362a000"
},
{
"name": "ModuleName",
"value": "cmdext.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 144
},
{
"timestamp": "2026-03-12 10:00:23,730",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7362a000"
},
{
"name": "ModuleName",
"value": "cmdext.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 145
},
{
"timestamp": "2026-03-12 10:00:23,745",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "system",
"api": "GetSystemTimeAsFileTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 146
},
{
"timestamp": "2026-03-12 10:00:23,777",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\System32\\shcore"
},
{
"name": "DllBase",
"value": "0x774b0000"
}
],
"repeated": 0,
"id": 147
},
{
"timestamp": "2026-03-12 10:00:23,777",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\System32\\srpapi"
},
{
"name": "DllBase",
"value": "0x735e0000"
}
],
"repeated": 0,
"id": 148
},
{
"timestamp": "2026-03-12 10:00:23,792",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\system32\\appidapi"
},
{
"name": "DllBase",
"value": "0x73610000"
}
],
"repeated": 0,
"id": 149
},
{
"timestamp": "2026-03-12 10:00:23,792",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00001000"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\appidapi.dll"
},
{
"name": "BaseAddress",
"value": "0x73610000"
}
],
"repeated": 0,
"id": 150
},
{
"timestamp": "2026-03-12 10:00:23,792",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\System32\\bcryptprimitives"
},
{
"name": "DllBase",
"value": "0x75310000"
}
],
"repeated": 0,
"id": 151
},
{
"timestamp": "2026-03-12 10:00:23,792",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\bcryptprimitives.dll"
},
{
"name": "BaseAddress",
"value": "0x75310000"
}
],
"repeated": 0,
"id": 152
},
{
"timestamp": "2026-03-12 10:00:23,792",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\system32\\uxtheme"
},
{
"name": "DllBase",
"value": "0x73900000"
}
],
"repeated": 0,
"id": 153
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\uxtheme.dll"
},
{
"name": "BaseAddress",
"value": "0x73900000"
}
],
"repeated": 0,
"id": 154
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "misc",
"api": "SaferIdentifyLevel",
"status": true,
"return": "0x00000001",
"arguments": [],
"repeated": 0,
"id": 155
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "registry",
"api": "NtOpenKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00000003",
"pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Option"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Option"
}
],
"repeated": 0,
"id": 156
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "process",
"api": "NtOpenProcessToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "DesiredAccess",
"value": "0x0002000a"
},
{
"name": "TokenHandle",
"value": "0x00000278"
}
],
"repeated": 0,
"id": 157
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "8"
},
{
"name": "TokenInformation",
"value": "\\x01\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 158
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000027c"
}
],
"repeated": 0,
"id": 159
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "1"
},
{
"name": "TokenInformation",
"value": "h\\xca\\xda\\x02\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xa5\\x91\\xba)*\\xb2\\xbc\\x01/\\x0f\\xf7\\x13\\xe9\\x03\\x00\\x003\\x002\\x00\\\\x00A\\x00p\\x00p\\x00L\\x00o\\x00c\\x00k\\x00e\\x00r\\x00\\\\x00p\\x00l\\x00u\\x00g\\x00i\\x00n\\x00.\\x000\\x00.\\x00P\\x00o\\x00l\\x00i\\x00c\\x00y\\x00\\x00\\x005\\x00\n\\x00\\x00\n'\\xbb\\x00\\x00\\x00\\x9b\\xda\\x02\\xf8\\x98\\xda\\x021\\x00\\x00\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00"
}
],
"repeated": 0,
"id": 160
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "15"
},
{
"name": "TokenInformation",
"value": "\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 161
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x00552642",
"parentcaller": "0x00554d73",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000278"
}
],
"repeated": 0,
"id": 162
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x00555004",
"parentcaller": "0x00552748",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "12"
},
{
"name": "ProcessInformation",
"value": "\\x01\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 163
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x0055500e",
"parentcaller": "0x00552748",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "12"
},
{
"name": "ProcessInformation",
"value": "\\x00\\x00\\x00\\x00"
}
],
"repeated": 1,
"id": 164
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dc3000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 165
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x005535a7",
"parentcaller": "0x0054dfe0",
"category": "filesystem",
"api": "NtCreateFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "DesiredAccess",
"value": "0x80100080",
"pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "CreateDisposition",
"value": "1",
"pretty_value": "FILE_OPEN"
},
{
"name": "ShareAccess",
"value": "3",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
},
{
"name": "FileAttributes",
"value": "0x00000080",
"pretty_value": "FILE_ATTRIBUTE_NORMAL"
},
{
"name": "ExistedBefore",
"value": "yes"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 166
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x0054e004",
"parentcaller": "0x00554e2f",
"category": "filesystem",
"api": "NtSetInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 2,
"id": 167
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x0054f78b",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtReadFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "Buffer",
"value": "@echo off\necho CAPE Test Sample\necho Hostname: %COMPUTERNAME%\necho User: %USERNAME%\nipconfig\n"
},
{
"name": "Length",
"value": "93"
}
],
"repeated": 0,
"id": 168
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x0054fb9c",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "]\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 169
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x0054fb9c",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtSetInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 170
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x0054fefe",
"parentcaller": "0x0054fc1d",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 171
},
{
"timestamp": "2026-03-12 10:00:23,808",
"thread_id": "6772",
"caller": "0x0054dcba",
"parentcaller": "0x00554e2f",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 3,
"id": 172
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x0054dd00",
"parentcaller": "0x00554e2f",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000278"
}
],
"repeated": 0,
"id": 173
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e17000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 174
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x005507f6",
"parentcaller": "0x0054dec8",
"category": "system",
"api": "FindFixAndRun",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Command",
"value": "echo"
},
{
"name": "Arguments",
"value": " off"
}
],
"repeated": 0,
"id": 175
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x0054d1cc",
"parentcaller": "0x005507f6",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x19\\x00\\x00\\x00P\\xed\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00p\\x02\\x94\\x04X\\xed\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\xb0\\xee`w0\\xf0\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 176
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e38000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 177
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x0055330e",
"parentcaller": "0x005507f6",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e27000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 178
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x0055330e",
"parentcaller": "0x005507f6",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 179
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x0055330e",
"parentcaller": "0x005507f6",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dc3000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 180
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x0055330e",
"parentcaller": "0x005507f6",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02df5000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 181
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x005505fc",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xec\\xf1\\xaf\\x02\\x90\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\r\\x84\\xdc\\xc9\\x98\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 1,
"id": 182
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x00550642",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xec\\xf1\\xaf\\x02\\x90\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\r\\x84\\xdc\\xc9\\x98\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 183
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x0054ded5",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\r\\x84\\xdc\\xc9\\xa0\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf9\\xa7cs\\xa8\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 184
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x00550589",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00T\\xef\\xaf\\x02 \\xf0\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xf0\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 185
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x00550589",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02df5000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 186
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x0054df07",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e27000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 187
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x0054df07",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e17000"
},
{
"name": "RegionSize",
"value": "0x00030000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 188
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x0054df07",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02df5000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 189
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x005535a7",
"parentcaller": "0x0054dfe0",
"category": "filesystem",
"api": "NtCreateFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "DesiredAccess",
"value": "0x80100080",
"pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "CreateDisposition",
"value": "1",
"pretty_value": "FILE_OPEN"
},
{
"name": "ShareAccess",
"value": "3",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
},
{
"name": "FileAttributes",
"value": "0x00000080",
"pretty_value": "FILE_ATTRIBUTE_NORMAL"
},
{
"name": "ExistedBefore",
"value": "yes"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 190
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x0054e004",
"parentcaller": "0x00554e2f",
"category": "filesystem",
"api": "NtSetInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 2,
"id": 191
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x0054f78b",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtReadFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "Buffer",
"value": "echo CAPE Test Sample\necho Hostname: %COMPUTERNAME%\necho User: %USERNAME%\nipconfig\n"
},
{
"name": "Length",
"value": "83"
}
],
"repeated": 0,
"id": 192
},
{
"timestamp": "2026-03-12 10:00:23,824",
"thread_id": "6772",
"caller": "0x0054fb9c",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "]\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 193
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0054fb9c",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtSetInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": " \\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 194
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0054fefe",
"parentcaller": "0x0054fc1d",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 195
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0054dcba",
"parentcaller": "0x00554e2f",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": " \\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 3,
"id": 196
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0054dd00",
"parentcaller": "0x00554e2f",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000278"
}
],
"repeated": 0,
"id": 197
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e17000"
},
{
"name": "RegionSize",
"value": "0x00030000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 198
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x005507f6",
"parentcaller": "0x0054dec8",
"category": "system",
"api": "FindFixAndRun",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Command",
"value": "echo"
},
{
"name": "Arguments",
"value": " CAPE Test Sample"
}
],
"repeated": 0,
"id": 199
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0054d1cc",
"parentcaller": "0x005507f6",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x17\\x00\\x00\\x00P\\xed\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00p\\x02\\x94\\x04X\\xed\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\xb0\\xee`w0\\xf0\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 200
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0054d14e",
"parentcaller": "0x0054d222",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e37000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 201
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0054d14e",
"parentcaller": "0x0054d222",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 202
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0054b4f2",
"parentcaller": "0x0054b42d",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xed\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xa8\\xec\\xaf\\x02x\\xed\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 203
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0054b47f",
"parentcaller": "0x0054b897",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x000000b8"
},
{
"name": "Buffer",
"value": "CAPE Test Sample\r\n"
}
],
"repeated": 0,
"id": 204
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0055330e",
"parentcaller": "0x005507f6",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e37000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 205
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0055330e",
"parentcaller": "0x005507f6",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e27000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 206
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x005505fc",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xec\\xf1\\xaf\\x02\\x90\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\r\\x84\\xdc\\xc9\\x98\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 1,
"id": 207
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x00550642",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xec\\xf1\\xaf\\x02\\x90\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\r\\x84\\xdc\\xc9\\x98\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 208
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0054ded5",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\r\\x84\\xdc\\xc9\\xa0\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf9\\xa7cs\\xa8\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 209
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x00550589",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00T\\xef\\xaf\\x02 \\xf0\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xf0\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 210
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x00550589",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02df5000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 211
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0054df07",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e27000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 212
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0054df07",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e17000"
},
{
"name": "RegionSize",
"value": "0x00030000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 213
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0054df07",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02df5000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 214
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x005535a7",
"parentcaller": "0x0054dfe0",
"category": "filesystem",
"api": "NtCreateFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "DesiredAccess",
"value": "0x80100080",
"pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "CreateDisposition",
"value": "1",
"pretty_value": "FILE_OPEN"
},
{
"name": "ShareAccess",
"value": "3",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
},
{
"name": "FileAttributes",
"value": "0x00000080",
"pretty_value": "FILE_ATTRIBUTE_NORMAL"
},
{
"name": "ExistedBefore",
"value": "yes"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 215
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0054e004",
"parentcaller": "0x00554e2f",
"category": "filesystem",
"api": "NtSetInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": " \\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 2,
"id": 216
},
{
"timestamp": "2026-03-12 10:00:23,839",
"thread_id": "6772",
"caller": "0x0054f78b",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtReadFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "Buffer",
"value": "echo Hostname: %COMPUTERNAME%\necho User: %USERNAME%\nipconfig\n"
},
{
"name": "Length",
"value": "61"
}
],
"repeated": 0,
"id": 217
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x0054fb9c",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "]\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 218
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x0054fb9c",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtSetInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": ">\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 219
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x0054fefe",
"parentcaller": "0x0054fc1d",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 220
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x0054fefe",
"parentcaller": "0x0054fdbb",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e17000"
},
{
"name": "RegionSize",
"value": "0x00030000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 221
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x0054dcba",
"parentcaller": "0x00554e2f",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": ">\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 3,
"id": 222
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x0054dd00",
"parentcaller": "0x00554e2f",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000278"
}
],
"repeated": 0,
"id": 223
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x005507f6",
"parentcaller": "0x0054dec8",
"category": "system",
"api": "FindFixAndRun",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Command",
"value": "echo"
},
{
"name": "Arguments",
"value": " Hostname: DESKTOP-21H4T4T"
}
],
"repeated": 0,
"id": 224
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x0054d1cc",
"parentcaller": "0x005507f6",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00T\\xbb\\xd3\\x04P\\xed\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00 \\x00\\x00\\x00X\\xed\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\x03\\xc4]w0\\xf0\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 225
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x0054d14e",
"parentcaller": "0x0054d222",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e37000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 226
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x0054d14e",
"parentcaller": "0x0054d222",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 227
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x0054b4f2",
"parentcaller": "0x0054b42d",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xed\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xa8\\xec\\xaf\\x02x\\xed\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 228
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x0054b47f",
"parentcaller": "0x0054b897",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x000000b8"
},
{
"name": "Buffer",
"value": "Hostname: DESKTOP-21H4T4T\r\n"
}
],
"repeated": 0,
"id": 229
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x0055330e",
"parentcaller": "0x005507f6",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e37000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 230
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x0055330e",
"parentcaller": "0x005507f6",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e27000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 231
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x005505fc",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xec\\xf1\\xaf\\x02\\x90\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\r\\x84\\xdc\\xc9\\x98\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 1,
"id": 232
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x00550642",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xec\\xf1\\xaf\\x02\\x90\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\r\\x84\\xdc\\xc9\\x98\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 233
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x0054ded5",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\r\\x84\\xdc\\xc9\\xa0\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf9\\xa7cs\\xa8\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 234
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x00550589",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00T\\xef\\xaf\\x02 \\xf0\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xf0\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 235
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x00550589",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02df5000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 236
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x0054df07",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e27000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 237
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x0054df07",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e17000"
},
{
"name": "RegionSize",
"value": "0x00030000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 238
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x0054df07",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02df5000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 239
},
{
"timestamp": "2026-03-12 10:00:23,855",
"thread_id": "6772",
"caller": "0x005535a7",
"parentcaller": "0x0054dfe0",
"category": "filesystem",
"api": "NtCreateFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "DesiredAccess",
"value": "0x80100080",
"pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "CreateDisposition",
"value": "1",
"pretty_value": "FILE_OPEN"
},
{
"name": "ShareAccess",
"value": "3",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
},
{
"name": "FileAttributes",
"value": "0x00000080",
"pretty_value": "FILE_ATTRIBUTE_NORMAL"
},
{
"name": "ExistedBefore",
"value": "yes"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 240
},
{
"timestamp": "2026-03-12 10:00:23,870",
"thread_id": "6772",
"caller": "0x0054e004",
"parentcaller": "0x00554e2f",
"category": "filesystem",
"api": "NtSetInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": ">\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 2,
"id": 241
},
{
"timestamp": "2026-03-12 10:00:23,870",
"thread_id": "6772",
"caller": "0x0054f78b",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtReadFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "Buffer",
"value": "echo User: %USERNAME%\nipconfig\n"
},
{
"name": "Length",
"value": "31"
}
],
"repeated": 0,
"id": 242
},
{
"timestamp": "2026-03-12 10:00:23,870",
"thread_id": "6772",
"caller": "0x0054fb9c",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "]\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 243
},
{
"timestamp": "2026-03-12 10:00:23,870",
"thread_id": "6772",
"caller": "0x0054fb9c",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtSetInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "T\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 244
},
{
"timestamp": "2026-03-12 10:00:23,870",
"thread_id": "6772",
"caller": "0x0054fefe",
"parentcaller": "0x0054fc1d",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 245
},
{
"timestamp": "2026-03-12 10:00:23,870",
"thread_id": "6772",
"caller": "0x0054fefe",
"parentcaller": "0x0054fdbb",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e17000"
},
{
"name": "RegionSize",
"value": "0x00030000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 246
},
{
"timestamp": "2026-03-12 10:00:23,870",
"thread_id": "6772",
"caller": "0x0054dcba",
"parentcaller": "0x00554e2f",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "T\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 3,
"id": 247
},
{
"timestamp": "2026-03-12 10:00:23,870",
"thread_id": "6772",
"caller": "0x0054dd00",
"parentcaller": "0x00554e2f",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000278"
}
],
"repeated": 0,
"id": 248
},
{
"timestamp": "2026-03-12 10:00:23,870",
"thread_id": "6772",
"caller": "0x005507f6",
"parentcaller": "0x0054dec8",
"category": "system",
"api": "FindFixAndRun",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Command",
"value": "echo"
},
{
"name": "Arguments",
"value": " User: malware"
}
],
"repeated": 0,
"id": 249
},
{
"timestamp": "2026-03-12 10:00:23,870",
"thread_id": "6772",
"caller": "0x0054d1cc",
"parentcaller": "0x005507f6",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x17\\x00\\x00\\x00P\\xed\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00p\\x02\\x94\\x04X\\xed\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\xb0\\xee`w0\\xf0\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 250
},
{
"timestamp": "2026-03-12 10:00:23,870",
"thread_id": "6772",
"caller": "0x0054d14e",
"parentcaller": "0x0054d222",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e37000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 251
},
{
"timestamp": "2026-03-12 10:00:23,870",
"thread_id": "6772",
"caller": "0x0054d14e",
"parentcaller": "0x0054d222",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 252
},
{
"timestamp": "2026-03-12 10:00:23,870",
"thread_id": "6772",
"caller": "0x0054ffc4",
"parentcaller": "0x0054d2b4",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02df5000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 253
},
{
"timestamp": "2026-03-12 10:00:23,870",
"thread_id": "6772",
"caller": "0x0054b4f2",
"parentcaller": "0x0054b42d",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xed\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xa8\\xec\\xaf\\x02x\\xed\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 254
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x0054b47f",
"parentcaller": "0x0054b897",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x000000b8"
},
{
"name": "Buffer",
"value": "User: malware\r\n"
}
],
"repeated": 0,
"id": 255
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x0055330e",
"parentcaller": "0x005507f6",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e37000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 256
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x0055330e",
"parentcaller": "0x005507f6",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e27000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 257
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x0055330e",
"parentcaller": "0x005507f6",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02df5000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 258
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x005505fc",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xec\\xf1\\xaf\\x02\\x90\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\r\\x84\\xdc\\xc9\\x98\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 1,
"id": 259
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x00550642",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xec\\xf1\\xaf\\x02\\x90\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\r\\x84\\xdc\\xc9\\x98\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 260
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x0054ded5",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\r\\x84\\xdc\\xc9\\xa0\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf9\\xa7cs\\xa8\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 261
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x00550589",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00T\\xef\\xaf\\x02 \\xf0\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xf0\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 262
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x00550589",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02df5000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 263
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x0054df07",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e27000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 264
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x0054df07",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e17000"
},
{
"name": "RegionSize",
"value": "0x00030000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 265
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x0054df07",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02df5000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 266
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x005535a7",
"parentcaller": "0x0054dfe0",
"category": "filesystem",
"api": "NtCreateFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000027c"
},
{
"name": "DesiredAccess",
"value": "0x80100080",
"pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "CreateDisposition",
"value": "1",
"pretty_value": "FILE_OPEN"
},
{
"name": "ShareAccess",
"value": "3",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
},
{
"name": "FileAttributes",
"value": "0x00000080",
"pretty_value": "FILE_ATTRIBUTE_NORMAL"
},
{
"name": "ExistedBefore",
"value": "yes"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 267
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x0054e004",
"parentcaller": "0x00554e2f",
"category": "filesystem",
"api": "NtSetInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000027c"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "T\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 2,
"id": 268
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x0054f78b",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtReadFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000027c"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "Buffer",
"value": "ipconfig\n"
},
{
"name": "Length",
"value": "9"
}
],
"repeated": 0,
"id": 269
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x0054fb9c",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000027c"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "]\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 1,
"id": 270
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x0054fefe",
"parentcaller": "0x0054fc1d",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 271
},
{
"timestamp": "2026-03-12 10:00:23,886",
"thread_id": "6772",
"caller": "0x0054dcba",
"parentcaller": "0x00554e2f",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000027c"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "]\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 3,
"id": 272
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054dd00",
"parentcaller": "0x00554e2f",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000027c"
}
],
"repeated": 0,
"id": 273
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e17000"
},
{
"name": "RegionSize",
"value": "0x00030000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 274
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054fefe",
"parentcaller": "0x0054de6e",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e48000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 275
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x00555004",
"parentcaller": "0x00551ba3",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "12"
},
{
"name": "ProcessInformation",
"value": "\\x01\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 276
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0055500e",
"parentcaller": "0x00551ba3",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "12"
},
{
"name": "ProcessInformation",
"value": "\\x00\\x00\\x00\\x00"
}
],
"repeated": 1,
"id": 277
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054fefe",
"parentcaller": "0x0054de6e",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02df5000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 278
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x00559fff",
"parentcaller": "0x0056459a",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\ipconfig.*"
}
],
"repeated": 0,
"id": 279
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x00559fff",
"parentcaller": "0x0056459a",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x02db96b0",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\ipconfig.*"
},
{
"name": "FirstCreateTimeLow",
"value": "0x9a38a26e"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01d9f433"
}
],
"repeated": 0,
"id": 280
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054a4cf",
"parentcaller": "0x0054de6e",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000027c"
}
],
"repeated": 0,
"id": 281
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x00552287",
"parentcaller": "0x0054de6e",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e37000"
},
{
"name": "RegionSize",
"value": "0x00030000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 282
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x00552287",
"parentcaller": "0x0054de6e",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e27000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 283
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x00552287",
"parentcaller": "0x0054de6e",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 284
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x005507f6",
"parentcaller": "0x0054dec8",
"category": "system",
"api": "FindFixAndRun",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Command",
"value": "ipconfig"
},
{
"name": "Arguments",
"value": ""
}
],
"repeated": 0,
"id": 285
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054d1cc",
"parentcaller": "0x005507f6",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x19\\x00\\x00\\x00P\\xed\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00p\\x02\\x94\\x04X\\xed\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\xb0\\xee`w0\\xf0\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 286
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e27000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 287
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e37000"
},
{
"name": "RegionSize",
"value": "0x00030000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 288
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054fefe",
"parentcaller": "0x0054990f",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e68000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 289
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x00555004",
"parentcaller": "0x00551ba3",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "12"
},
{
"name": "ProcessInformation",
"value": "\\x01\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 290
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0055500e",
"parentcaller": "0x00551ba3",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "12"
},
{
"name": "ProcessInformation",
"value": "\\x00\\x00\\x00\\x00"
}
],
"repeated": 1,
"id": 291
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x00559fff",
"parentcaller": "0x0056459a",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\ipconfig.*"
}
],
"repeated": 0,
"id": 292
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x00559fff",
"parentcaller": "0x0056459a",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x02db96b0",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\ipconfig.*"
},
{
"name": "FirstCreateTimeLow",
"value": "0x9a38a26e"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01d9f433"
}
],
"repeated": 0,
"id": 293
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054a4cf",
"parentcaller": "0x0054990f",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000027c"
}
],
"repeated": 0,
"id": 294
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x00552287",
"parentcaller": "0x0054990f",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e57000"
},
{
"name": "RegionSize",
"value": "0x00030000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 295
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x00552287",
"parentcaller": "0x0054990f",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e47000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 296
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x00549928",
"parentcaller": "0x00549861",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xff\\x07\\x00\\x00\\xe8\\xea\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xe0\\xff\\x00\\x00\\xf0\\xea\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\xa0m\\xe3\\x02\\xa4\\xeb\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 297
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054af4d",
"parentcaller": "0x00549944",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000108"
},
{
"name": "ValueName",
"value": "000604xx"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "kernel32.dll"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000604xx"
}
],
"repeated": 0,
"id": 298
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054af4d",
"parentcaller": "0x00549944",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "kernel32.dll"
},
{
"name": "BaseAddress",
"value": "0x76c80000"
}
],
"repeated": 0,
"id": 299
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054af4d",
"parentcaller": "0x00549944",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76c80000"
},
{
"name": "FunctionName",
"value": "SortGetHandle"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76c96ec0"
}
],
"repeated": 0,
"id": 300
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054af4d",
"parentcaller": "0x00549944",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76c80000"
},
{
"name": "FunctionName",
"value": "SortCloseHandle"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76cbedd0"
}
],
"repeated": 0,
"id": 301
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054af4d",
"parentcaller": "0x00549944",
"category": "filesystem",
"api": "NtCreateFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000027c"
},
{
"name": "DesiredAccess",
"value": "0x80100080",
"pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
},
{
"name": "CreateDisposition",
"value": "1",
"pretty_value": "FILE_OPEN"
},
{
"name": "ShareAccess",
"value": "1",
"pretty_value": "FILE_SHARE_READ"
},
{
"name": "FileAttributes",
"value": "0x00000080",
"pretty_value": "FILE_ATTRIBUTE_NORMAL"
},
{
"name": "ExistedBefore",
"value": "yes"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 302
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054af4d",
"parentcaller": "0x00549944",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000274"
},
{
"name": "DesiredAccess",
"value": "0x000f0005",
"pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x0000027c"
},
{
"name": "FileName",
"value": "C:\\Windows\\Globalization\\Sorting\\SortDefault.nls"
}
],
"repeated": 0,
"id": 303
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054af4d",
"parentcaller": "0x00549944",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000274"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x064e0000"
},
{
"name": "SectionOffset",
"value": "0x02afe6dc"
},
{
"name": "ViewSize",
"value": "0x0033a000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 304
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054af4d",
"parentcaller": "0x00549944",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000274"
}
],
"repeated": 0,
"id": 305
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054af4d",
"parentcaller": "0x00549944",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000027c"
}
],
"repeated": 0,
"id": 306
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054af4d",
"parentcaller": "0x00549944",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000027c"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids"
}
],
"repeated": 0,
"id": 307
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054af4d",
"parentcaller": "0x00549944",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000027c"
},
{
"name": "ValueName",
"value": "en-US"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US"
}
],
"repeated": 0,
"id": 308
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054af4d",
"parentcaller": "0x00549944",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000027c"
},
{
"name": "ValueName",
"value": "en"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en"
}
],
"repeated": 0,
"id": 309
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x0054989f",
"parentcaller": "0x00549944",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xea\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x18\\xea\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 310
},
{
"timestamp": "2026-03-12 10:00:23,902",
"thread_id": "6772",
"caller": "0x005498b6",
"parentcaller": "0x00549944",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xea\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x18\\xea\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 311
},
{
"timestamp": "2026-03-12 10:00:23,917",
"thread_id": "6772",
"caller": "0x0054af9d",
"parentcaller": "0x00549944",
"category": "process",
"api": "NtCreateUserProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0x00000278"
},
{
"name": "ThreadHandle",
"value": "0x00000274"
},
{
"name": "ProcessDesiredAccess",
"value": "0x02000000"
},
{
"name": "ThreadDesiredAccess",
"value": "0x02000000"
},
{
"name": "ProcessFileName",
"value": ""
},
{
"name": "ThreadName",
"value": ""
},
{
"name": "ImagePathName",
"value": "C:\\Windows\\system32\\ipconfig.exe"
},
{
"name": "CommandLine",
"value": "ipconfig"
},
{
"name": "DllPath",
"value": ""
},
{
"name": "ProcessId",
"value": "7116"
}
],
"repeated": 0,
"id": 312
},
{
"timestamp": "2026-03-12 10:00:23,995",
"thread_id": "6772",
"caller": "0x0054af9d",
"parentcaller": "0x00549944",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "BaseAddress",
"value": "0x77590000"
}
],
"repeated": 0,
"id": 313
},
{
"timestamp": "2026-03-12 10:00:23,995",
"thread_id": "6772",
"caller": "0x0054af9d",
"parentcaller": "0x00549944",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "KernelBase"
},
{
"name": "BaseAddress",
"value": "0x76430000"
}
],
"repeated": 0,
"id": 314
},
{
"timestamp": "2026-03-12 10:00:24,011",
"thread_id": "6772",
"caller": "0x0054af9d",
"parentcaller": "0x00549944",
"category": "__notification__",
"api": "sysenter",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadIdentifier",
"value": "6772"
},
{
"name": "Module",
"value": "KERNELBASE.dll"
},
{
"name": "Return Address",
"value": "0x76581dcc"
}
],
"repeated": 0,
"id": 315
},
{
"timestamp": "2026-03-12 10:00:24,011",
"thread_id": "6772",
"caller": "0x0054af9d",
"parentcaller": "0x00549944",
"category": "process",
"api": "CreateProcessW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ApplicationName",
"value": "C:\\Windows\\system32\\ipconfig.exe"
},
{
"name": "CommandLine",
"value": "ipconfig"
},
{
"name": "CreationFlags",
"value": "0x00080000"
},
{
"name": "ProcessId",
"value": "7116"
},
{
"name": "ThreadId",
"value": "2792"
},
{
"name": "ParentHandle",
"value": "0xffffffff"
},
{
"name": "ProcessHandle",
"value": "0x00000278"
},
{
"name": "ThreadHandle",
"value": "0x00000274"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 316
},
{
"timestamp": "2026-03-12 10:00:24,011",
"thread_id": "6772",
"caller": "0x0054afbf",
"parentcaller": "0x00549944",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000274"
}
],
"repeated": 0,
"id": 317
},
{
"timestamp": "2026-03-12 10:00:24,011",
"thread_id": "6772",
"caller": "0x005497b2",
"parentcaller": "0x0054b027",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000278"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 0,
"id": 318
},
{
"timestamp": "2026-03-12 10:00:24,480",
"thread_id": "6772",
"caller": "0x0054981a",
"parentcaller": "0x0054b027",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000278"
}
],
"repeated": 0,
"id": 319
},
{
"timestamp": "2026-03-12 10:00:24,480",
"thread_id": "6772",
"caller": "0x0055330e",
"parentcaller": "0x005507f6",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e27000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 320
},
{
"timestamp": "2026-03-12 10:00:24,480",
"thread_id": "6772",
"caller": "0x0055330e",
"parentcaller": "0x005507f6",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dc4000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 321
},
{
"timestamp": "2026-03-12 10:00:24,480",
"thread_id": "6772",
"caller": "0x005505fc",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xec\\xf1\\xaf\\x02\\x90\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\r\\x84\\xdc\\xc9\\x98\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 2,
"id": 322
},
{
"timestamp": "2026-03-12 10:00:24,480",
"thread_id": "6772",
"caller": "0x00550642",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xec\\xf1\\xaf\\x02\\x90\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\r\\x84\\xdc\\xc9\\x98\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 1,
"id": 323
},
{
"timestamp": "2026-03-12 10:00:24,480",
"thread_id": "6772",
"caller": "0x0054ded5",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\r\\x84\\xdc\\xc9\\xa0\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf9\\xa7cs\\xa8\\xf2\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 324
},
{
"timestamp": "2026-03-12 10:00:24,480",
"thread_id": "6772",
"caller": "0x00550589",
"parentcaller": "0x00554e2f",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00T\\xef\\xaf\\x02 \\xf0\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xf0\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 325
},
{
"timestamp": "2026-03-12 10:00:24,480",
"thread_id": "6772",
"caller": "0x0054df07",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e27000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 326
},
{
"timestamp": "2026-03-12 10:00:24,480",
"thread_id": "6772",
"caller": "0x0054df07",
"parentcaller": "0x00554e2f",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e17000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 327
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x005535a7",
"parentcaller": "0x0054dfe0",
"category": "filesystem",
"api": "NtCreateFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "DesiredAccess",
"value": "0x80100080",
"pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "CreateDisposition",
"value": "1",
"pretty_value": "FILE_OPEN"
},
{
"name": "ShareAccess",
"value": "3",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
},
{
"name": "FileAttributes",
"value": "0x00000080",
"pretty_value": "FILE_ATTRIBUTE_NORMAL"
},
{
"name": "ExistedBefore",
"value": "yes"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 328
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x0054e004",
"parentcaller": "0x00554e2f",
"category": "filesystem",
"api": "NtSetInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "]\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 329
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x0054eb19",
"parentcaller": "0x0054dcb1",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e47000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 330
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x0054eb19",
"parentcaller": "0x0054dcb1",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e57000"
},
{
"name": "RegionSize",
"value": "0x00030000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 331
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x0054eb19",
"parentcaller": "0x0054dcb1",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e37000"
},
{
"name": "RegionSize",
"value": "0x00050000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 332
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x0054eb19",
"parentcaller": "0x0054dcb1",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e17000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 333
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x0054eb19",
"parentcaller": "0x0054dcb1",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e37000"
},
{
"name": "RegionSize",
"value": "0x00050000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 334
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x0054f76a",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "]\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 1,
"id": 335
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x0054f78b",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtReadFile",
"status": false,
"return": "0xffffffffc0000011",
"pretty_return": "END_OF_FILE",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "Buffer",
"value": ""
},
{
"name": "Length",
"value": "0"
}
],
"repeated": 0,
"id": 336
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x0054fb9c",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "5",
"pretty_value": "FileStandardInformation"
},
{
"name": "FileInformation",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00]\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 337
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x0054fb9c",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtSetInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "]\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 338
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x0054fefe",
"parentcaller": "0x0054fc1d",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 339
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x0054f76a",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "]\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 1,
"id": 340
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x0054f78b",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtReadFile",
"status": false,
"return": "0xffffffffc0000011",
"pretty_return": "END_OF_FILE",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "Buffer",
"value": ""
},
{
"name": "Length",
"value": "0"
}
],
"repeated": 0,
"id": 341
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x0054fb9c",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "5",
"pretty_value": "FileStandardInformation"
},
{
"name": "FileInformation",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00]\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 342
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x0054fb9c",
"parentcaller": "0x0056062f",
"category": "filesystem",
"api": "NtSetInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "HandleName",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "]\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 4,
"id": 343
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x0054dd00",
"parentcaller": "0x00554e2f",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000278"
}
],
"repeated": 0,
"id": 344
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x00554ea6",
"parentcaller": "0x005499a1",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e17000"
},
{
"name": "RegionSize",
"value": "0x00070000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 345
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x00554ea6",
"parentcaller": "0x005499a1",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e07000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 346
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x00554ea6",
"parentcaller": "0x005499a1",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 347
},
{
"timestamp": "2026-03-12 10:00:24,495",
"thread_id": "6772",
"caller": "0x0055330e",
"parentcaller": "0x005507f6",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02de3000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 348
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x005505fc",
"parentcaller": "0x0055bce2",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xcc\\xfd\\xaf\\x02p\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00-\\x88\\xdc\\xc9x\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 1,
"id": 349
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x00550642",
"parentcaller": "0x0055bce2",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xcc\\xfd\\xaf\\x02p\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00-\\x88\\xdc\\xc9x\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 350
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x00553a83",
"parentcaller": "0x0055bce2",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00-\\x88\\xdc\\xc9\\x80\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf9\\xa7cs\\x88\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 351
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x00550589",
"parentcaller": "0x0055bce2",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x004\\xfb\\xaf\\x02\\x00\\xfc\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xfc\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 352
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0055007c",
"parentcaller": "0x005636b6",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xa0\\x00\\x00\\x00`\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xfe\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 353
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0055ae57",
"parentcaller": "0x0055ac06",
"category": "process",
"api": "NtOpenProcessToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "DesiredAccess",
"value": "0x00000008"
},
{
"name": "TokenHandle",
"value": "0x00000278"
}
],
"repeated": 0,
"id": 354
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0055af21",
"parentcaller": "0x0055ae6f",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "18"
},
{
"name": "TokenInformation",
"value": "\\x02\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 355
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0055aeda",
"parentcaller": "0x0055ae8d",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "26"
},
{
"name": "TokenInformation",
"value": "\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 356
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0055aea8",
"parentcaller": "0x0055ac06",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000278"
}
],
"repeated": 0,
"id": 357
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0055ae14",
"parentcaller": "0x0055ac87",
"category": "process",
"api": "NtUnmapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04840000"
},
{
"name": "RegionSize",
"value": "0x00021000"
}
],
"repeated": 0,
"id": 358
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0055ae14",
"parentcaller": "0x0055ac87",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000154"
}
],
"repeated": 0,
"id": 359
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0055ae14",
"parentcaller": "0x0055ac87",
"category": "registry",
"api": "NtOpenKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US"
}
],
"repeated": 0,
"id": 360
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0055ae14",
"parentcaller": "0x0055ac87",
"category": "filesystem",
"api": "NtOpenFile",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00100001",
"pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\SysWOW64\\en-US\\cmd.exe.mui"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 361
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0055ae14",
"parentcaller": "0x0055ac87",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000154"
},
{
"name": "DesiredAccess",
"value": "0x00100001",
"pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\sysnative\\en-US\\cmd.exe.mui"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 362
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0055ae14",
"parentcaller": "0x0055ac87",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000278"
},
{
"name": "DesiredAccess",
"value": "0x000f0005",
"pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x00000154"
},
{
"name": "FileName",
"value": "C:\\Windows\\sysnative\\en-US\\cmd.exe.mui"
}
],
"repeated": 0,
"id": 363
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0055ae14",
"parentcaller": "0x0055ac87",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000278"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04840000"
},
{
"name": "SectionOffset",
"value": "0x02afedb8"
},
{
"name": "ViewSize",
"value": "0x00021000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 364
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0055ae14",
"parentcaller": "0x0055ac87",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000278"
}
],
"repeated": 0,
"id": 365
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0055ad07",
"parentcaller": "0x005636d6",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1c,\\xda\\x02\\xc0\\xfb\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x18\\x02\\x00\\x00\\xc8\\xfb\\xaf\\x02\\x00\\x00\\x00\\x00\\x08\\x02\\x00\\x00D\\x00\\x00\\x00\\x88\\xfc\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 366
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0054b4f2",
"parentcaller": "0x00548cf1",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xbc\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x04\\x01\\x00\\x00\\x90\\xfb\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xfb\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 367
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x00548d0e",
"parentcaller": "0x00548cb9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xbc\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\xe8\\xfa\\xaf\\x02\\x00\\x00\\x00\\x00\\\\x00\\x00\\x00X\\xfb\\xaf\\x02\\xf0\\xfa\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 368
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x00549444",
"parentcaller": "0x00548d35",
"category": "registry",
"api": "NtOpenKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US"
}
],
"repeated": 0,
"id": 369
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x00549444",
"parentcaller": "0x00548d35",
"category": "filesystem",
"api": "NtOpenFile",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00100001",
"pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\en-US\\KERNELBASE.dll.mui"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 370
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x00549444",
"parentcaller": "0x00548d35",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "DesiredAccess",
"value": "0x00100001",
"pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\sysnative\\en-US\\KERNELBASE.dll.mui"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 371
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x00549444",
"parentcaller": "0x00548d35",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000274"
},
{
"name": "DesiredAccess",
"value": "0x000f0005",
"pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x00000278"
},
{
"name": "FileName",
"value": "C:\\Windows\\sysnative\\en-US\\KernelBase.dll.mui"
}
],
"repeated": 0,
"id": 372
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x00549444",
"parentcaller": "0x00548d35",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000274"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x06820000"
},
{
"name": "SectionOffset",
"value": "0x02afecb0"
},
{
"name": "ViewSize",
"value": "0x0014a000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 373
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x00549444",
"parentcaller": "0x00548d35",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000274"
}
],
"repeated": 0,
"id": 374
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x00548d7b",
"parentcaller": "0x00548cb9",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x000000bc"
},
{
"name": "Buffer",
"value": "Not enough memory resources are available to process this command.\r\n"
}
],
"repeated": 0,
"id": 375
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0054eb19",
"parentcaller": "0x00563704",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e07000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 376
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0054eb19",
"parentcaller": "0x00563704",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e17000"
},
{
"name": "RegionSize",
"value": "0x00070000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 377
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0054eb19",
"parentcaller": "0x00563704",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02e07000"
},
{
"name": "RegionSize",
"value": "0x00098000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 378
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0054eb19",
"parentcaller": "0x00563704",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02df7000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 379
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0054eb19",
"parentcaller": "0x00563704",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02de3000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 380
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0054eb19",
"parentcaller": "0x00563704",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02ddf000"
},
{
"name": "RegionSize",
"value": "0x00013000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 381
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0054eb19",
"parentcaller": "0x00563704",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 382
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0054eb19",
"parentcaller": "0x00563704",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02ddf000"
},
{
"name": "RegionSize",
"value": "0x00013000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 383
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0054eb19",
"parentcaller": "0x00563704",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02dd7000"
},
{
"name": "RegionSize",
"value": "0x0001b000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 384
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0054b4f2",
"parentcaller": "0x0054b42d",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\xe0\\xfa\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\xe8\\xfa\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 385
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0054b47f",
"parentcaller": "0x00569698",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x000000b8"
},
{
"name": "Buffer",
"value": "\r\n"
}
],
"repeated": 0,
"id": 386
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0055c934",
"parentcaller": "0x0055c2ea",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02df7000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 387
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0054b4f2",
"parentcaller": "0x0054b42d",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00u\\x16bw\\xe8\\xfa\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\xfa\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 388
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0054b47f",
"parentcaller": "0x00569bfa",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x000000b8"
},
{
"name": "Buffer",
"value": "C:\\Users\\malware\\AppData\\Local\\Temp>"
}
],
"repeated": 0,
"id": 389
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0055007c",
"parentcaller": "0x0054f681",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00h\\x94\\xda\\x02\\xb8\\xfd\\xaf\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xe4\\xfb\\x84s\\xc0\\xfd\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 1,
"id": 390
},
{
"timestamp": "2026-03-12 10:00:24,511",
"thread_id": "6772",
"caller": "0x0056616f",
"parentcaller": "0x0054f6fc",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000a0"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00d\\x00\\x00\\x00B\\x00\\x00\\x00\\xa0\\xfc\\xaf\\x02\\x00\\x00\\x00\\x00\\\\x00\\x00\\x00\\x9c\\xfb\\xaf\\x02\\xa8\\xfc\\xaf\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 391
}
],
"threads": [
"6772",
"6800",
"3164",
"2516",
"1520"
],
"environ": {
"UserName": "malware",
"ComputerName": "DESKTOP-21H4T4T",
"WindowsPath": "C:\\Windows",
"TempPath": "C:\\Users\\malware\\AppData\\Local\\Temp\\",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat\"",
"RegisteredOwner": "",
"RegisteredOrganization": "",
"ProductName": "",
"SystemVolumeSerialNumber": "d00a-3b77",
"SystemVolumeGUID": "6b93884e-0000-0000-0000-500600000000",
"MachineGUID": "",
"MainExeBase": "0x00540000",
"MainExeSize": "0x0005b000",
"Bitness": "32-bit"
},
"file_activities": {
"read_files": [],
"write_files": [],
"delete_files": []
}
},
{
"process_id": 7116,
"process_name": "ipconfig.exe",
"parent_id": 5732,
"module_path": "C:\\Windows\\SysWOW64\\ipconfig.exe",
"first_seen": "2026-03-12 10:00:24,144",
"calls": [
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2792",
"caller": "0x775d6f3e",
"parentcaller": "0x775f5baa",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\dhcpcsvc"
},
{
"name": "BaseAddress",
"value": "0x735c0000"
},
{
"name": "InitRoutine",
"value": "0x735c4400"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 0
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2792",
"caller": "0x775d6f3e",
"parentcaller": "0x775f5baa",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\dhcpcsvc6"
},
{
"name": "BaseAddress",
"value": "0x735a0000"
},
{
"name": "InitRoutine",
"value": "0x735a33e0"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 1
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2792",
"caller": "0x7761cd89",
"parentcaller": "0x7764273a",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000260"
},
{
"name": "DesiredAccess",
"value": "0x00000001",
"pretty_value": "KEY_QUERY_VALUE"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\MACHINE\\System\\CurrentControlSet\\Control\\Session Manager"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager"
}
],
"repeated": 0,
"id": 2
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2792",
"caller": "0x7761ce26",
"parentcaller": "0x7761cd9f",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000260"
},
{
"name": "ValueName",
"value": "SmtDelaySleepLoopWindowSize"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelaySleepLoopWindowSize"
}
],
"repeated": 0,
"id": 3
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2792",
"caller": "0x7761ce26",
"parentcaller": "0x7761cdb1",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000260"
},
{
"name": "ValueName",
"value": "SmtDelaySpinCountThreshold"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelaySpinCountThreshold"
}
],
"repeated": 0,
"id": 4
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2792",
"caller": "0x7761ce26",
"parentcaller": "0x7761cdc3",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000260"
},
{
"name": "ValueName",
"value": "SmtDelayBaseYield"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelayBaseYield"
}
],
"repeated": 0,
"id": 5
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2792",
"caller": "0x7761ce26",
"parentcaller": "0x7761cdd5",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000260"
},
{
"name": "ValueName",
"value": "SmtFactorYield"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtFactorYield"
}
],
"repeated": 0,
"id": 6
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2792",
"caller": "0x7761ce26",
"parentcaller": "0x7761cde7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000260"
},
{
"name": "ValueName",
"value": "SmtDelayMaxYield"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelayMaxYield"
}
],
"repeated": 0,
"id": 7
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2792",
"caller": "0x7761cdf5",
"parentcaller": "0x7764273a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000260"
}
],
"repeated": 0,
"id": 8
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2792",
"caller": "0x775edf9b",
"parentcaller": "0x7761cba3",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 9
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2792",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 10
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2320",
"caller": "0x775d2c5f",
"parentcaller": "0x775d6be4",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000094"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 3,
"id": 11
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "3884",
"caller": "0x7656e91e",
"parentcaller": "0x7656e82e",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\xf3.\\x06\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xf3.\\x06\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 12
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2792",
"caller": "0x0071590a",
"parentcaller": "0x007159c4",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04e03000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 13
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2792",
"caller": "0x0071541d",
"parentcaller": "0x00715a20",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "10"
},
{
"name": "TokenInformation",
"value": "cM\\x15\\x00\\x00\\x00\\x00\\x00n\\xdb\\x03\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xe4\\x96\\x14\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 14
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2792",
"caller": "0x0071541d",
"parentcaller": "0x00715a20",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "1"
},
{
"name": "TokenInformation",
"value": "\\xe8\\x9d\\x0f\\x03\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xa5\\x91\\xba)*\\xb2\\xbc\\x01/\\x0f\\xf7\\x13\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 15
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "3884",
"caller": "0x775e6966",
"parentcaller": "0x775e6672",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04e04000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 16
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "3884",
"caller": "0x775e6966",
"parentcaller": "0x775e6672",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04e06000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 17
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "3884",
"caller": "0x775fd86f",
"parentcaller": "0x775d5d4a",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000025c"
},
{
"name": "DesiredAccess",
"value": "0x00000009",
"pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
}
],
"repeated": 0,
"id": 18
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "3884",
"caller": "0x775fd88c",
"parentcaller": "0x775d5d4a",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000025c"
},
{
"name": "ValueName",
"value": "ResourcePolicies"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies"
}
],
"repeated": 0,
"id": 19
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "3884",
"caller": "0x775fd8a2",
"parentcaller": "0x775d5d4a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000025c"
}
],
"repeated": 0,
"id": 20
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "3884",
"caller": "0x775c7dc5",
"parentcaller": "0x775c7fdf",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04e10000"
},
{
"name": "RegionSize",
"value": "0x00008000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 21
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "3884",
"caller": "0x775c7e0c",
"parentcaller": "0x775c7fdf",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04e10000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 22
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "3884",
"caller": "0x775edf9b",
"parentcaller": "0x7761cba3",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 23
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "3884",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 24
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2320",
"caller": "0x7656e91e",
"parentcaller": "0x7656e82e",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x03\\xc4\\x05\\x00H\\xef\\xdd\\x04\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xe4\\x01P\\xef\\xdd\\x04\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 25
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2320",
"caller": "0x775e6966",
"parentcaller": "0x775e6672",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04e08000"
},
{
"name": "RegionSize",
"value": "0x00007000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 26
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2320",
"caller": "0x775edf9b",
"parentcaller": "0x7761cba3",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 27
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "2320",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 28
},
{
"timestamp": "2026-03-12 10:00:24,284",
"thread_id": "4548",
"caller": "0x7656e91e",
"parentcaller": "0x7656e82e",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x03\\xc4\\x05\\x000\\xef\\xd5\\x04\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xe4\\x018\\xef\\xd5\\x04\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 29
},
{
"timestamp": "2026-03-12 10:00:24,300",
"thread_id": "4548",
"caller": "0x775e6966",
"parentcaller": "0x775e6672",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x03100000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 30
},
{
"timestamp": "2026-03-12 10:00:24,300",
"thread_id": "4548",
"caller": "0x775edf9b",
"parentcaller": "0x7761cba3",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 31
},
{
"timestamp": "2026-03-12 10:00:24,300",
"thread_id": "4548",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 32
},
{
"timestamp": "2026-03-12 10:00:24,300",
"thread_id": "5992",
"caller": "0x7656e91e",
"parentcaller": "0x7656e82e",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x03\\xc4\\x05\\x00h\\xf4\\xcd\\x04\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xe4\\x01p\\xf4\\xcd\\x04\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 33
},
{
"timestamp": "2026-03-12 10:00:24,300",
"thread_id": "5992",
"caller": "0x775edf9b",
"parentcaller": "0x7761cba3",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 34
},
{
"timestamp": "2026-03-12 10:00:24,300",
"thread_id": "5992",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 35
},
{
"timestamp": "2026-03-12 10:00:24,300",
"thread_id": "2792",
"caller": "0x0071541d",
"parentcaller": "0x00715a20",
"category": "__notification__",
"api": "sysenter",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadIdentifier",
"value": "2792"
},
{
"name": "Module",
"value": "KERNELBASE.dll"
},
{
"name": "Return Address",
"value": "0x76581d9c"
}
],
"repeated": 0,
"id": 36
},
{
"timestamp": "2026-03-12 10:00:24,316",
"thread_id": "2792",
"caller": "0x0071541d",
"parentcaller": "0x00715a20",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000260"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
}
],
"repeated": 0,
"id": 37
},
{
"timestamp": "2026-03-12 10:00:24,316",
"thread_id": "2792",
"caller": "0x0071541d",
"parentcaller": "0x00715a20",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000260"
},
{
"name": "ValueName",
"value": "en-US"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US"
}
],
"repeated": 0,
"id": 38
},
{
"timestamp": "2026-03-12 10:00:24,316",
"thread_id": "2792",
"caller": "0x0071541d",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000260"
}
],
"repeated": 0,
"id": 39
},
{
"timestamp": "2026-03-12 10:00:24,316",
"thread_id": "2792",
"caller": "0x0071541d",
"parentcaller": "0x00715a20",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000260"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
}
],
"repeated": 0,
"id": 40
},
{
"timestamp": "2026-03-12 10:00:24,316",
"thread_id": "2792",
"caller": "0x0071541d",
"parentcaller": "0x00715a20",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000260"
},
{
"name": "ValueName",
"value": "en-US"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
}
],
"repeated": 0,
"id": 41
},
{
"timestamp": "2026-03-12 10:00:24,316",
"thread_id": "2792",
"caller": "0x0071541d",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000260"
}
],
"repeated": 0,
"id": 42
},
{
"timestamp": "2026-03-12 10:00:24,316",
"thread_id": "2792",
"caller": "0x0071541d",
"parentcaller": "0x00715a20",
"category": "system",
"api": "GetUserDefaultLCID",
"status": true,
"return": "0x00000409",
"arguments": [
{
"name": "SystemDefaultLangID",
"value": "0x00000409"
},
{
"name": "LanguageName",
"value": "English (United States)"
}
],
"repeated": 0,
"id": 43
},
{
"timestamp": "2026-03-12 10:00:24,316",
"thread_id": "2792",
"caller": "0x00715426",
"parentcaller": "0x00715a20",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x9c\\xf8\\xde\\x02h\\xf9\\xde\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xf9\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 44
},
{
"timestamp": "2026-03-12 10:00:24,316",
"thread_id": "2792",
"caller": "0x00712e8c",
"parentcaller": "0x0071567b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xe8\\xfb\\xde\\x02\\xa8\\xfb\\xde\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xf4\\xfa\\xde\\x02\\xb0\\xfb\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 45
},
{
"timestamp": "2026-03-12 10:00:24,316",
"thread_id": "2792",
"caller": "0x007138fa",
"parentcaller": "0x00715566",
"category": "process",
"api": "NtUnmapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04c50000"
},
{
"name": "RegionSize",
"value": "0x00007000"
}
],
"repeated": 0,
"id": 46
},
{
"timestamp": "2026-03-12 10:00:24,316",
"thread_id": "2792",
"caller": "0x007138fa",
"parentcaller": "0x00715566",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000124"
}
],
"repeated": 0,
"id": 47
},
{
"timestamp": "2026-03-12 10:00:24,316",
"thread_id": "2792",
"caller": "0x007138fa",
"parentcaller": "0x00715566",
"category": "registry",
"api": "NtOpenKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US"
}
],
"repeated": 0,
"id": 48
},
{
"timestamp": "2026-03-12 10:00:24,316",
"thread_id": "2792",
"caller": "0x007138fa",
"parentcaller": "0x00715566",
"category": "filesystem",
"api": "NtOpenFile",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00100001",
"pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\SysWOW64\\en-US\\ipconfig.exe.mui"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 49
},
{
"timestamp": "2026-03-12 10:00:24,316",
"thread_id": "2792",
"caller": "0x007138fa",
"parentcaller": "0x00715566",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000124"
},
{
"name": "DesiredAccess",
"value": "0x00100001",
"pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\sysnative\\en-US\\ipconfig.exe.mui"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 50
},
{
"timestamp": "2026-03-12 10:00:24,316",
"thread_id": "2792",
"caller": "0x007138fa",
"parentcaller": "0x00715566",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000260"
},
{
"name": "DesiredAccess",
"value": "0x000f0005",
"pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x00000124"
},
{
"name": "FileName",
"value": "C:\\Windows\\sysnative\\en-US\\ipconfig.exe.mui"
}
],
"repeated": 0,
"id": 51
},
{
"timestamp": "2026-03-12 10:00:24,316",
"thread_id": "2792",
"caller": "0x007138fa",
"parentcaller": "0x00715566",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000260"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04c50000"
},
{
"name": "SectionOffset",
"value": "0x02deed58"
},
{
"name": "ViewSize",
"value": "0x00007000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 52
},
{
"timestamp": "2026-03-12 10:00:24,316",
"thread_id": "2792",
"caller": "0x007138fa",
"parentcaller": "0x00715566",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000260"
}
],
"repeated": 0,
"id": 53
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x00712e8c",
"parentcaller": "0x00712f9a",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xa6\\x02\\xe8V\\x88\\xfb\\xde\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x0e\\x03\\x90\\xfb\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 54
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00H\\xca\\x0e\\x03\\xc0\\xdf\\xde\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x88\\xe1\\xde\\x02\\xc8\\xdf\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 55
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xdf\\xde\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xdf\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 56
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "filesystem",
"api": "NtCreateFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000288"
},
{
"name": "DesiredAccess",
"value": "0x40100080",
"pretty_value": "GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "\\??\\CONOUT$"
},
{
"name": "CreateDisposition",
"value": "1",
"pretty_value": "FILE_OPEN"
},
{
"name": "ShareAccess",
"value": "3",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
},
{
"name": "FileAttributes",
"value": "0x00000000"
},
{
"name": "ExistedBefore",
"value": "yes"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 57
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 58
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\n"
}
],
"repeated": 0,
"id": 59
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 60
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "W"
}
],
"repeated": 0,
"id": 61
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "i"
}
],
"repeated": 0,
"id": 62
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "n"
}
],
"repeated": 0,
"id": 63
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "d"
}
],
"repeated": 0,
"id": 64
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "o"
}
],
"repeated": 0,
"id": 65
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "w"
}
],
"repeated": 0,
"id": 66
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "s"
}
],
"repeated": 0,
"id": 67
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 68
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "I"
}
],
"repeated": 0,
"id": 69
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "P"
}
],
"repeated": 0,
"id": 70
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 71
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "C"
}
],
"repeated": 0,
"id": 72
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "o"
}
],
"repeated": 0,
"id": 73
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "n"
}
],
"repeated": 0,
"id": 74
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "f"
}
],
"repeated": 0,
"id": 75
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "i"
}
],
"repeated": 0,
"id": 76
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "g"
}
],
"repeated": 0,
"id": 77
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "u"
}
],
"repeated": 0,
"id": 78
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "r"
}
],
"repeated": 0,
"id": 79
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "a"
}
],
"repeated": 0,
"id": 80
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "t"
}
],
"repeated": 0,
"id": 81
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "i"
}
],
"repeated": 0,
"id": 82
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "o"
}
],
"repeated": 0,
"id": 83
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "n"
}
],
"repeated": 0,
"id": 84
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 85
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\n"
}
],
"repeated": 0,
"id": 86
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 1,
"id": 87
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\n"
}
],
"repeated": 0,
"id": 88
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 89
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x007130fa",
"parentcaller": "0x007131e1",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77590000"
}
],
"repeated": 0,
"id": 90
},
{
"timestamp": "2026-03-12 10:00:24,331",
"thread_id": "2792",
"caller": "0x0071310b",
"parentcaller": "0x007131e1",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77590000"
},
{
"name": "FunctionName",
"value": "RtlQueryFeatureConfiguration"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x775f9220"
}
],
"repeated": 0,
"id": 91
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x00714e1b",
"parentcaller": "0x0071565b",
"category": "system",
"api": "GetSystemTimeAsFileTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 3,
"id": 92
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x00714e1b",
"parentcaller": "0x0071565b",
"category": "network",
"api": "GetAdaptersAddresses",
"status": false,
"return": "0x0000006f",
"arguments": [],
"repeated": 0,
"id": 93
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x00714e1b",
"parentcaller": "0x0071565b",
"category": "system",
"api": "GetSystemTimeAsFileTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 4,
"id": 94
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x00712e8c",
"parentcaller": "0x00712f9a",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xb0\\xee`wH\\xf8\\xde\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00S\\xb7^wP\\xf8\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 95
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xdc\\xde\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xdc\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 96
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xdc\\xde\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xdc\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 97
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 98
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\n"
}
],
"repeated": 0,
"id": 99
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 100
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "E"
}
],
"repeated": 0,
"id": 101
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "t"
}
],
"repeated": 0,
"id": 102
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "h"
}
],
"repeated": 0,
"id": 103
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "e"
}
],
"repeated": 0,
"id": 104
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "r"
}
],
"repeated": 0,
"id": 105
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "n"
}
],
"repeated": 0,
"id": 106
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "e"
}
],
"repeated": 0,
"id": 107
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "t"
}
],
"repeated": 0,
"id": 108
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 109
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "a"
}
],
"repeated": 0,
"id": 110
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "d"
}
],
"repeated": 0,
"id": 111
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "a"
}
],
"repeated": 0,
"id": 112
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "p"
}
],
"repeated": 0,
"id": 113
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "t"
}
],
"repeated": 0,
"id": 114
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "e"
}
],
"repeated": 0,
"id": 115
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "r"
}
],
"repeated": 0,
"id": 116
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 117
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "E"
}
],
"repeated": 0,
"id": 118
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "t"
}
],
"repeated": 0,
"id": 119
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "h"
}
],
"repeated": 0,
"id": 120
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "e"
}
],
"repeated": 0,
"id": 121
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "r"
}
],
"repeated": 0,
"id": 122
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "n"
}
],
"repeated": 0,
"id": 123
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "e"
}
],
"repeated": 0,
"id": 124
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "t"
}
],
"repeated": 0,
"id": 125
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": ":"
}
],
"repeated": 0,
"id": 126
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 127
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\n"
}
],
"repeated": 0,
"id": 128
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 1,
"id": 129
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\n"
}
],
"repeated": 0,
"id": 130
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 131
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x00712e8c",
"parentcaller": "0x00712f9a",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xb0\\xee`wH\\xf8\\xde\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00S\\xb7^wP\\xf8\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 132
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\xdc\\xde\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xdc\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 133
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xdc\\xde\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xdc\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 134
},
{
"timestamp": "2026-03-12 10:00:24,347",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 2,
"id": 135
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "C"
}
],
"repeated": 0,
"id": 136
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "o"
}
],
"repeated": 0,
"id": 137
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "n"
}
],
"repeated": 1,
"id": 138
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "e"
}
],
"repeated": 0,
"id": 139
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "c"
}
],
"repeated": 0,
"id": 140
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "t"
}
],
"repeated": 0,
"id": 141
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "i"
}
],
"repeated": 0,
"id": 142
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "o"
}
],
"repeated": 0,
"id": 143
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "n"
}
],
"repeated": 0,
"id": 144
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "-"
}
],
"repeated": 0,
"id": 145
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "s"
}
],
"repeated": 0,
"id": 146
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "p"
}
],
"repeated": 0,
"id": 147
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "e"
}
],
"repeated": 0,
"id": 148
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "c"
}
],
"repeated": 0,
"id": 149
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "i"
}
],
"repeated": 0,
"id": 150
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "f"
}
],
"repeated": 0,
"id": 151
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "i"
}
],
"repeated": 0,
"id": 152
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "c"
}
],
"repeated": 0,
"id": 153
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 154
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "D"
}
],
"repeated": 0,
"id": 155
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "N"
}
],
"repeated": 0,
"id": 156
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "S"
}
],
"repeated": 0,
"id": 157
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 158
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "S"
}
],
"repeated": 0,
"id": 159
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "u"
}
],
"repeated": 0,
"id": 160
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "f"
}
],
"repeated": 1,
"id": 161
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "i"
}
],
"repeated": 0,
"id": 162
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "x"
}
],
"repeated": 0,
"id": 163
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 1,
"id": 164
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 165
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 166
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": ":"
}
],
"repeated": 0,
"id": 167
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 168
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 169
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\n"
}
],
"repeated": 0,
"id": 170
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 171
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x00712e8c",
"parentcaller": "0x00712f9a",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00f\\x0f\\xe8VH\\xf8\\xde\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x0e\\x03P\\xf8\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 172
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xdc\\xde\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xdc\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 173
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xdc\\xde\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xdc\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 174
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 2,
"id": 175
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "L"
}
],
"repeated": 0,
"id": 176
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "i"
}
],
"repeated": 0,
"id": 177
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "n"
}
],
"repeated": 0,
"id": 178
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "k"
}
],
"repeated": 0,
"id": 179
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "-"
}
],
"repeated": 0,
"id": 180
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "l"
}
],
"repeated": 0,
"id": 181
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "o"
}
],
"repeated": 0,
"id": 182
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "c"
}
],
"repeated": 0,
"id": 183
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "a"
}
],
"repeated": 0,
"id": 184
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "l"
}
],
"repeated": 0,
"id": 185
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 186
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "I"
}
],
"repeated": 0,
"id": 187
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "P"
}
],
"repeated": 0,
"id": 188
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "v"
}
],
"repeated": 0,
"id": 189
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "6"
}
],
"repeated": 0,
"id": 190
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 191
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "A"
}
],
"repeated": 0,
"id": 192
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "d"
}
],
"repeated": 1,
"id": 193
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "r"
}
],
"repeated": 0,
"id": 194
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "e"
}
],
"repeated": 0,
"id": 195
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "s"
}
],
"repeated": 1,
"id": 196
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 197
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 198
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 199
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 200
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 201
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 202
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 203
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 204
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 205
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 206
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 207
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": ":"
}
],
"repeated": 0,
"id": 208
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 209
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "f"
}
],
"repeated": 0,
"id": 210
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "e"
}
],
"repeated": 0,
"id": 211
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "8"
}
],
"repeated": 0,
"id": 212
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "0"
}
],
"repeated": 0,
"id": 213
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": ":"
}
],
"repeated": 1,
"id": 214
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "9"
}
],
"repeated": 0,
"id": 215
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "4"
}
],
"repeated": 0,
"id": 216
},
{
"timestamp": "2026-03-12 10:00:24,362",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "e"
}
],
"repeated": 0,
"id": 217
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "7"
}
],
"repeated": 0,
"id": 218
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": ":"
}
],
"repeated": 0,
"id": 219
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "7"
}
],
"repeated": 0,
"id": 220
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "0"
}
],
"repeated": 0,
"id": 221
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "7"
}
],
"repeated": 0,
"id": 222
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "3"
}
],
"repeated": 0,
"id": 223
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": ":"
}
],
"repeated": 0,
"id": 224
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "f"
}
],
"repeated": 0,
"id": 225
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "5"
}
],
"repeated": 0,
"id": 226
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "f"
}
],
"repeated": 0,
"id": 227
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "6"
}
],
"repeated": 0,
"id": 228
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": ":"
}
],
"repeated": 0,
"id": 229
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "6"
}
],
"repeated": 1,
"id": 230
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "b"
}
],
"repeated": 0,
"id": 231
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "7"
}
],
"repeated": 0,
"id": 232
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "%"
}
],
"repeated": 0,
"id": 233
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "1"
}
],
"repeated": 0,
"id": 234
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "4"
}
],
"repeated": 0,
"id": 235
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 236
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\n"
}
],
"repeated": 0,
"id": 237
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 238
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x00712e8c",
"parentcaller": "0x00712f9a",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00f\\x0f\\xe8VH\\xf8\\xde\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x0e\\x03P\\xf8\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 239
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x80\\xdc\\xde\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xdc\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 240
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xdc\\xde\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xdc\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 241
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 2,
"id": 242
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "I"
}
],
"repeated": 0,
"id": 243
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "P"
}
],
"repeated": 0,
"id": 244
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "v"
}
],
"repeated": 0,
"id": 245
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "4"
}
],
"repeated": 0,
"id": 246
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 247
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "A"
}
],
"repeated": 0,
"id": 248
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "d"
}
],
"repeated": 1,
"id": 249
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "r"
}
],
"repeated": 0,
"id": 250
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "e"
}
],
"repeated": 0,
"id": 251
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "s"
}
],
"repeated": 1,
"id": 252
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 253
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 254
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 255
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 256
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 257
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 258
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 259
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 260
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 261
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 262
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 263
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 264
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 265
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 266
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 267
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 268
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 269
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 270
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 271
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 272
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 273
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 274
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": ":"
}
],
"repeated": 0,
"id": 275
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 276
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "1"
}
],
"repeated": 0,
"id": 277
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "9"
}
],
"repeated": 0,
"id": 278
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "2"
}
],
"repeated": 0,
"id": 279
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 280
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "1"
}
],
"repeated": 0,
"id": 281
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "6"
}
],
"repeated": 0,
"id": 282
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "8"
}
],
"repeated": 0,
"id": 283
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 284
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "5"
}
],
"repeated": 1,
"id": 285
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 286
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "1"
}
],
"repeated": 0,
"id": 287
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "0"
}
],
"repeated": 0,
"id": 288
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "1"
}
],
"repeated": 0,
"id": 289
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 290
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\n"
}
],
"repeated": 0,
"id": 291
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 292
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x00712e8c",
"parentcaller": "0x00712f9a",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xb0\\xee`wH\\xf8\\xde\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00S\\xb7^wP\\xf8\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 293
},
{
"timestamp": "2026-03-12 10:00:24,378",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xdc\\xde\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xdc\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 294
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xdc\\xde\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xdc\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 295
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 2,
"id": 296
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "S"
}
],
"repeated": 0,
"id": 297
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "u"
}
],
"repeated": 0,
"id": 298
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "b"
}
],
"repeated": 0,
"id": 299
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "n"
}
],
"repeated": 0,
"id": 300
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "e"
}
],
"repeated": 0,
"id": 301
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "t"
}
],
"repeated": 0,
"id": 302
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 303
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "M"
}
],
"repeated": 0,
"id": 304
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "a"
}
],
"repeated": 0,
"id": 305
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "s"
}
],
"repeated": 0,
"id": 306
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "k"
}
],
"repeated": 0,
"id": 307
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 308
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 309
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 310
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 311
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 312
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 313
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 314
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 315
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 316
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 317
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 318
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 319
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 320
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 321
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 322
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 323
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 324
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 325
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 326
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 327
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 328
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 329
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 330
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": ":"
}
],
"repeated": 0,
"id": 331
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 332
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "2"
}
],
"repeated": 0,
"id": 333
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "5"
}
],
"repeated": 1,
"id": 334
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 335
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "2"
}
],
"repeated": 0,
"id": 336
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "5"
}
],
"repeated": 1,
"id": 337
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 338
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "2"
}
],
"repeated": 0,
"id": 339
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "5"
}
],
"repeated": 1,
"id": 340
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 341
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "0"
}
],
"repeated": 0,
"id": 342
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 343
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\n"
}
],
"repeated": 0,
"id": 344
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 345
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x00712e8c",
"parentcaller": "0x00712f9a",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xb0\\xee`wH\\xf8\\xde\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00S\\xb7^wP\\xf8\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 346
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\xdc\\xde\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xdc\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 347
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000c8"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xdc\\xde\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xdc\\xde\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 348
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 2,
"id": 349
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "D"
}
],
"repeated": 0,
"id": 350
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "e"
}
],
"repeated": 0,
"id": 351
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "f"
}
],
"repeated": 0,
"id": 352
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "a"
}
],
"repeated": 0,
"id": 353
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "u"
}
],
"repeated": 0,
"id": 354
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "l"
}
],
"repeated": 0,
"id": 355
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "t"
}
],
"repeated": 0,
"id": 356
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 357
},
{
"timestamp": "2026-03-12 10:00:24,394",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "G"
}
],
"repeated": 0,
"id": 358
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "a"
}
],
"repeated": 0,
"id": 359
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "t"
}
],
"repeated": 0,
"id": 360
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "e"
}
],
"repeated": 0,
"id": 361
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "w"
}
],
"repeated": 0,
"id": 362
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "a"
}
],
"repeated": 0,
"id": 363
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "y"
}
],
"repeated": 0,
"id": 364
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 365
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 366
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 367
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 368
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 369
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 370
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 371
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 372
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 373
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 374
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 375
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 376
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 377
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 378
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 379
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 380
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 381
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 382
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 383
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": ":"
}
],
"repeated": 0,
"id": 384
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": " "
}
],
"repeated": 0,
"id": 385
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "1"
}
],
"repeated": 0,
"id": 386
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "9"
}
],
"repeated": 0,
"id": 387
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "2"
}
],
"repeated": 0,
"id": 388
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 389
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "1"
}
],
"repeated": 0,
"id": 390
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "6"
}
],
"repeated": 0,
"id": 391
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "8"
}
],
"repeated": 0,
"id": 392
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 393
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "5"
}
],
"repeated": 1,
"id": 394
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "."
}
],
"repeated": 0,
"id": 395
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "1"
}
],
"repeated": 0,
"id": 396
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 397
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\n"
}
],
"repeated": 0,
"id": 398
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x0071307a",
"parentcaller": "0x00713909",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000288"
},
{
"name": "Buffer",
"value": "\r"
}
],
"repeated": 0,
"id": 399
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x00714e5f",
"parentcaller": "0x0071565b",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x03101000"
},
{
"name": "RegionSize",
"value": "0x00009000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 400
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x00714e5f",
"parentcaller": "0x0071565b",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x0310f000"
},
{
"name": "RegionSize",
"value": "0x00004000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 401
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "mscoree.dll"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 402
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "process",
"api": "NtTerminateProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0x00000000"
},
{
"name": "ExitCode",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 403
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000284"
}
],
"repeated": 0,
"id": 404
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000280"
}
],
"repeated": 0,
"id": 405
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000270"
}
],
"repeated": 0,
"id": 406
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000026c"
}
],
"repeated": 0,
"id": 407
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000268"
}
],
"repeated": 0,
"id": 408
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000244"
}
],
"repeated": 0,
"id": 409
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000240"
}
],
"repeated": 0,
"id": 410
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000264"
}
],
"repeated": 0,
"id": 411
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000204"
}
],
"repeated": 0,
"id": 412
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000208"
}
],
"repeated": 0,
"id": 413
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001f8"
}
],
"repeated": 0,
"id": 414
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001dc"
}
],
"repeated": 0,
"id": 415
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001e0"
}
],
"repeated": 0,
"id": 416
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001d8"
}
],
"repeated": 0,
"id": 417
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001c0"
}
],
"repeated": 0,
"id": 418
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001c4"
}
],
"repeated": 0,
"id": 419
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001c8"
}
],
"repeated": 0,
"id": 420
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001cc"
}
],
"repeated": 0,
"id": 421
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001d0"
}
],
"repeated": 0,
"id": 422
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001d4"
}
],
"repeated": 0,
"id": 423
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77590000"
}
],
"repeated": 0,
"id": 424
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77590000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x775f5140"
}
],
"repeated": 0,
"id": 425
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77590000"
}
],
"repeated": 0,
"id": 426
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77590000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x775f5140"
}
],
"repeated": 0,
"id": 427
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x771fd000"
},
{
"name": "ModuleName",
"value": "ole32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 428
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x771fd000"
},
{
"name": "ModuleName",
"value": "ole32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 429
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001b8"
}
],
"repeated": 0,
"id": 430
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001bc"
}
],
"repeated": 0,
"id": 431
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001b4"
}
],
"repeated": 0,
"id": 432
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77590000"
}
],
"repeated": 0,
"id": 433
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77590000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x775f5140"
}
],
"repeated": 0,
"id": 434
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000198"
}
],
"repeated": 0,
"id": 435
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000019c"
}
],
"repeated": 0,
"id": 436
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001a0"
}
],
"repeated": 0,
"id": 437
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001a4"
}
],
"repeated": 0,
"id": 438
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001a8"
}
],
"repeated": 0,
"id": 439
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001b0"
}
],
"repeated": 0,
"id": 440
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001ac"
}
],
"repeated": 0,
"id": 441
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000178"
}
],
"repeated": 0,
"id": 442
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000017c"
}
],
"repeated": 0,
"id": 443
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000174"
}
],
"repeated": 0,
"id": 444
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000170"
}
],
"repeated": 0,
"id": 445
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000016c"
}
],
"repeated": 0,
"id": 446
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000168"
}
],
"repeated": 0,
"id": 447
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77590000"
}
],
"repeated": 0,
"id": 448
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77590000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x775f5140"
}
],
"repeated": 0,
"id": 449
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000158"
}
],
"repeated": 0,
"id": 450
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000150"
}
],
"repeated": 0,
"id": 451
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000154"
}
],
"repeated": 0,
"id": 452
},
{
"timestamp": "2026-03-12 10:00:24,409",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000288"
}
],
"repeated": 0,
"id": 453
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000128"
}
],
"repeated": 0,
"id": 454
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000012c"
}
],
"repeated": 0,
"id": 455
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000130"
}
],
"repeated": 0,
"id": 456
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000130"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"
}
],
"repeated": 0,
"id": 457
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000130"
},
{
"name": "ValueName",
"value": "DisableMetaFiles"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
}
],
"repeated": 0,
"id": 458
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000130"
}
],
"repeated": 0,
"id": 459
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77590000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x775f5140"
}
],
"repeated": 0,
"id": 460
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000114"
}
],
"repeated": 0,
"id": 461
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000118"
}
],
"repeated": 0,
"id": 462
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000108"
}
],
"repeated": 0,
"id": 463
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000000a8"
}
],
"repeated": 0,
"id": 464
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000010c"
}
],
"repeated": 0,
"id": 465
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000214"
}
],
"repeated": 0,
"id": 466
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000110"
}
],
"repeated": 0,
"id": 467
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77590000"
}
],
"repeated": 0,
"id": 468
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77590000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x775f5140"
}
],
"repeated": 0,
"id": 469
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000000cc"
}
],
"repeated": 0,
"id": 470
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000000e4"
}
],
"repeated": 0,
"id": 471
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000000e8"
}
],
"repeated": 0,
"id": 472
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000000e0"
}
],
"repeated": 0,
"id": 473
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000000d0"
}
],
"repeated": 0,
"id": 474
},
{
"timestamp": "2026-03-12 10:00:24,425",
"thread_id": "2792",
"caller": "0x007154e7",
"parentcaller": "0x00715a20",
"category": "process",
"api": "NtTerminateProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "ExitCode",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 475
}
],
"threads": [
"2792",
"2320",
"3884",
"4548",
"5992"
],
"environ": {
"UserName": "malware",
"ComputerName": "DESKTOP-21H4T4T",
"WindowsPath": "C:\\Windows",
"TempPath": "C:\\Users\\malware\\AppData\\Local\\Temp\\",
"CommandLine": "ipconfig",
"RegisteredOwner": "",
"RegisteredOrganization": "",
"ProductName": "",
"SystemVolumeSerialNumber": "d00a-3b77",
"SystemVolumeGUID": "6b93884e-0000-0000-0000-500600000000",
"MachineGUID": "",
"MainExeBase": "0x00710000",
"MainExeSize": "0x0000c000",
"Bitness": "32-bit"
},
"file_activities": {
"read_files": [],
"write_files": [],
"delete_files": []
}
}
],
"anomaly": [],
"processtree": [
{
"name": "cmd.exe",
"pid": 4136,
"parent_id": 1840,
"module_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"children": [
{
"name": "cmd.exe",
"pid": 5732,
"parent_id": 4136,
"module_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"children": [
{
"name": "ipconfig.exe",
"pid": 7116,
"parent_id": 5732,
"module_path": "C:\\Windows\\SysWOW64\\ipconfig.exe",
"children": [],
"threads": [
"2792",
"2320",
"3884",
"4548",
"5992"
],
"environ": {
"UserName": "malware",
"ComputerName": "DESKTOP-21H4T4T",
"WindowsPath": "C:\\Windows",
"TempPath": "C:\\Users\\malware\\AppData\\Local\\Temp\\",
"CommandLine": "ipconfig",
"RegisteredOwner": "",
"RegisteredOrganization": "",
"ProductName": "",
"SystemVolumeSerialNumber": "d00a-3b77",
"SystemVolumeGUID": "6b93884e-0000-0000-0000-500600000000",
"MachineGUID": "",
"MainExeBase": "0x00710000",
"MainExeSize": "0x0000c000",
"Bitness": "32-bit"
}
}
],
"threads": [
"6772",
"6800",
"3164",
"2516",
"1520"
],
"environ": {
"UserName": "malware",
"ComputerName": "DESKTOP-21H4T4T",
"WindowsPath": "C:\\Windows",
"TempPath": "C:\\Users\\malware\\AppData\\Local\\Temp\\",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat\"",
"RegisteredOwner": "",
"RegisteredOrganization": "",
"ProductName": "",
"SystemVolumeSerialNumber": "d00a-3b77",
"SystemVolumeGUID": "6b93884e-0000-0000-0000-500600000000",
"MachineGUID": "",
"MainExeBase": "0x00540000",
"MainExeSize": "0x0005b000",
"Bitness": "32-bit"
}
}
],
"threads": [
"3820",
"5080",
"4164",
"2316",
"6272",
"3088",
"2208"
],
"environ": {
"UserName": "malware",
"ComputerName": "DESKTOP-21H4T4T",
"WindowsPath": "C:\\Windows",
"TempPath": "C:\\Users\\malware\\AppData\\Local\\Temp\\",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat\"",
"RegisteredOwner": "",
"RegisteredOrganization": "",
"ProductName": "",
"SystemVolumeSerialNumber": "d00a-3b77",
"SystemVolumeGUID": "6b93884e-0000-0000-0000-500600000000",
"MachineGUID": "",
"MainExeBase": "0x00540000",
"MainExeSize": "0x0005b000",
"Bitness": "32-bit"
}
}
],
"summary": {
"files": [
"C:\\Users\\malware\\AppData\\Local\\Temp",
"C:\\Users",
"C:\\Users\\malware",
"C:\\Users\\malware\\AppData",
"C:\\Users\\malware\\AppData\\Local",
"C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat",
"C:\\",
"C:\\Windows\\System32\\cmdext.dll",
"\\Device\\SrpDevice",
"C:\\Users\\malware\\AppData\\Local\\Temp\\ipconfig.*",
"C:\\Windows\\System32\\ipconfig.*",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\SysWOW64\\en-US\\cmd.exe.mui",
"C:\\Windows\\sysnative\\en-US\\cmd.exe.mui",
"C:\\Windows\\System32\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\sysnative\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\SysWOW64\\en-US\\ipconfig.exe.mui",
"C:\\Windows\\sysnative\\en-US\\ipconfig.exe.mui",
"\\??\\CONOUT$"
],
"read_files": [],
"write_files": [
"\\??\\CONOUT$"
],
"delete_files": [],
"keys": [
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelaySleepLoopWindowSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelaySpinCountThreshold",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelayBaseYield",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtFactorYield",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelayMaxYield",
"HKEY_CURRENT_USER",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\System\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Srp\\GP\\",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\Gp\\RuleCount",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Option",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000604xx",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
],
"read_keys": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelaySleepLoopWindowSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelaySpinCountThreshold",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelayBaseYield",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtFactorYield",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelayMaxYield",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\Gp\\RuleCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000604xx",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
],
"write_keys": [],
"delete_keys": [],
"executed_commands": [
"C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat\"",
"ipconfig"
],
"resolved_apis": [],
"mutexes": [],
"created_services": [],
"started_services": []
},
"enhanced": [
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,087",
"eid": 1,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelaySleepLoopWindowSize",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,087",
"eid": 2,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelaySpinCountThreshold",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,087",
"eid": 3,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelayBaseYield",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,087",
"eid": 4,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtFactorYield",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,087",
"eid": 5,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelayMaxYield",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:23,087",
"eid": 6,
"data": {
"file": "KERNEL32.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,103",
"eid": 7,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,103",
"eid": 8,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"content": "1"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,103",
"eid": 9,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,103",
"eid": 10,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DefaultColor",
"content": "0"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,103",
"eid": 11,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\CompletionChar",
"content": "9"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,103",
"eid": 12,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"content": "9"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,103",
"eid": 13,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\AutoRun",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,165",
"eid": 14,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,165",
"eid": 15,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:23,165",
"eid": 16,
"data": {
"file": "KERNEL32.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:23,228",
"eid": 17,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": "0x77590000"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:23,228",
"eid": 18,
"data": {
"file": "KernelBase",
"pathtofile": null,
"moduleaddress": "0x76430000"
}
},
{
"event": "execute",
"object": "file",
"timestamp": "2026-03-12 10:00:23,243",
"eid": 19,
"data": {
"file": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,636",
"eid": 20,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelaySleepLoopWindowSize",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,636",
"eid": 21,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelaySpinCountThreshold",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,636",
"eid": 22,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelayBaseYield",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,636",
"eid": 23,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtFactorYield",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,636",
"eid": 24,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelayMaxYield",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:23,652",
"eid": 25,
"data": {
"file": "KERNEL32.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,667",
"eid": 26,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,667",
"eid": 27,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"content": "1"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,667",
"eid": 28,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,667",
"eid": 29,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DefaultColor",
"content": "0"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,667",
"eid": 30,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\CompletionChar",
"content": "9"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,667",
"eid": 31,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"content": "9"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,667",
"eid": 32,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\AutoRun",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,714",
"eid": 33,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,714",
"eid": 34,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:23,714",
"eid": 35,
"data": {
"file": "KERNEL32.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,730",
"eid": 36,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\Gp\\RuleCount",
"content": "2"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:23,792",
"eid": 37,
"data": {
"file": "C:\\Windows\\System32\\appidapi.dll",
"pathtofile": null,
"moduleaddress": "0x73610000"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:23,792",
"eid": 38,
"data": {
"file": "C:\\Windows\\System32\\bcryptprimitives.dll",
"pathtofile": null,
"moduleaddress": "0x75310000"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:23,808",
"eid": 39,
"data": {
"file": "C:\\Windows\\System32\\uxtheme.dll",
"pathtofile": null,
"moduleaddress": "0x73900000"
}
},
{
"event": "read",
"object": "file",
"timestamp": "2026-03-12 10:00:23,808",
"eid": 40,
"data": {
"file": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
}
},
{
"event": "read",
"object": "file",
"timestamp": "2026-03-12 10:00:23,824",
"eid": 41,
"data": {
"file": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
}
},
{
"event": "read",
"object": "file",
"timestamp": "2026-03-12 10:00:23,839",
"eid": 42,
"data": {
"file": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
}
},
{
"event": "read",
"object": "file",
"timestamp": "2026-03-12 10:00:23,870",
"eid": 43,
"data": {
"file": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
}
},
{
"event": "read",
"object": "file",
"timestamp": "2026-03-12 10:00:23,886",
"eid": 44,
"data": {
"file": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,902",
"eid": 45,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000604xx",
"content": "kernel32.dll"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:23,902",
"eid": 46,
"data": {
"file": "kernel32.dll",
"pathtofile": null,
"moduleaddress": "0x76c80000"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,902",
"eid": 47,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:23,902",
"eid": 48,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:23,995",
"eid": 49,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": "0x77590000"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:23,995",
"eid": 50,
"data": {
"file": "KernelBase",
"pathtofile": null,
"moduleaddress": "0x76430000"
}
},
{
"event": "execute",
"object": "file",
"timestamp": "2026-03-12 10:00:24,011",
"eid": 51,
"data": {
"file": null
}
},
{
"event": "read",
"object": "file",
"timestamp": "2026-03-12 10:00:24,495",
"eid": 52,
"data": {
"file": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
}
},
{
"event": "read",
"object": "file",
"timestamp": "2026-03-12 10:00:24,495",
"eid": 53,
"data": {
"file": "C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:24,284",
"eid": 54,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelaySleepLoopWindowSize",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:24,284",
"eid": 55,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelaySpinCountThreshold",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:24,284",
"eid": 56,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelayBaseYield",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:24,284",
"eid": 57,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtFactorYield",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:24,284",
"eid": 58,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SmtDelayMaxYield",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:24,284",
"eid": 59,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:24,316",
"eid": 60,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:24,316",
"eid": 61,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:24,331",
"eid": 62,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:24,409",
"eid": 63,
"data": {
"file": "mscoree.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:24,409",
"eid": 64,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:24,409",
"eid": 65,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:24,409",
"eid": 66,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:24,409",
"eid": 67,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-12 10:00:24,425",
"eid": 68,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-12 10:00:24,425",
"eid": 69,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
}
],
"encryptedbuffers": [],
"network_map": {
"endpoint_map": {},
"http_host_map": {},
"dns_intents": {},
"http_requests": [],
"winhttp_sessions": []
}
},
"debug": {
"log": "2026-03-12 02:59:08,172 [root] INFO: Date set to: 20260312T03:00:10, timeout set to: 60\n2026-03-12 03:00:10,028 [root] DEBUG: Starting analyzer from: C:\\fo9rzin5\n2026-03-12 03:00:10,028 [root] DEBUG: Storing results at: C:\\cviTrXvdj\n2026-03-12 03:00:10,044 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\inyUZdIu\n2026-03-12 03:00:10,044 [root] DEBUG: Python path: C:\\Users\\malware\\AppData\\Local\\Programs\\Python\\Python310-32\n2026-03-12 03:00:10,044 [root] INFO: analysis running as an admin\n2026-03-12 03:00:10,044 [root] DEBUG: no analysis package configured, picking one for you\n2026-03-12 03:00:10,060 [root] INFO: analysis package selected: \"batch\"\n2026-03-12 03:00:10,060 [root] DEBUG: importing analysis package module: \"modules.packages.batch\"...\n2026-03-12 03:00:10,075 [root] DEBUG: imported analysis package \"batch\"\n2026-03-12 03:00:10,075 [root] DEBUG: initializing analysis package \"batch\"...\n2026-03-12 03:00:10,075 [lib.common.common] INFO: wrapping\n2026-03-12 03:00:10,091 [lib.core.compound] INFO: C:\\Users\\malware\\AppData\\Local\\Temp already exists, skipping creation\n2026-03-12 03:00:10,091 [root] DEBUG: New location of moved file: C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat\n2026-03-12 03:00:10,091 [root] INFO: Analyzer: Package modules.packages.batch does not specify a DLL option\n2026-03-12 03:00:10,091 [root] INFO: Analyzer: Package modules.packages.batch does not specify a DLL_64 option\n2026-03-12 03:00:10,091 [root] INFO: Analyzer: Package modules.packages.batch does not specify a loader option\n2026-03-12 03:00:10,091 [root] INFO: Analyzer: Package modules.packages.batch does not specify a loader_64 option\n2026-03-12 03:00:10,372 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2026-03-12 03:00:10,482 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2026-03-12 03:00:10,513 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2026-03-12 03:00:10,544 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2026-03-12 03:00:10,575 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2026-03-12 03:00:10,575 [lib.api.screenshot] ERROR: No module named 'PIL'\n2026-03-12 03:00:10,575 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2026-03-12 03:00:10,591 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2026-03-12 03:00:10,591 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2026-03-12 03:00:10,591 [root] DEBUG: attempting to configure 'Browser' from data\n2026-03-12 03:00:10,607 [root] DEBUG: module Browser does not support data configuration, ignoring\n2026-03-12 03:00:10,607 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2026-03-12 03:00:10,607 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2026-03-12 03:00:10,607 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2026-03-12 03:00:10,607 [root] DEBUG: attempting to configure 'DigiSig' from data\n2026-03-12 03:00:10,607 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2026-03-12 03:00:10,607 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2026-03-12 03:00:10,607 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2026-03-12 03:00:11,204 [modules.auxiliary.digisig] DEBUG: File format not recognized\n2026-03-12 03:00:11,204 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2026-03-12 03:00:11,204 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2026-03-12 03:00:11,204 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2026-03-12 03:00:11,204 [root] DEBUG: attempting to configure 'Disguise' from data\n2026-03-12 03:00:11,204 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2026-03-12 03:00:11,219 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2026-03-12 03:00:11,219 [modules.auxiliary.disguise] INFO: Disguising GUID to b2264b3c-dd7b-4e4c-ba87-863f30d8f63d\n2026-03-12 03:00:11,219 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2026-03-12 03:00:11,219 [root] DEBUG: Initialized auxiliary module \"Human\"\n2026-03-12 03:00:11,219 [root] DEBUG: attempting to configure 'Human' from data\n2026-03-12 03:00:11,219 [root] DEBUG: module Human does not support data configuration, ignoring\n2026-03-12 03:00:11,219 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2026-03-12 03:00:11,235 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2026-03-12 03:00:11,235 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2026-03-12 03:00:11,235 [root] DEBUG: attempting to configure 'Screenshots' from data\n2026-03-12 03:00:11,235 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2026-03-12 03:00:11,235 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2026-03-12 03:00:11,250 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled\n2026-03-12 03:00:11,250 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2026-03-12 03:00:11,250 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2026-03-12 03:00:11,250 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2026-03-12 03:00:11,250 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2026-03-12 03:00:11,266 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2026-03-12 03:00:11,266 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 748\n2026-03-12 03:00:11,329 [lib.api.process] INFO: Monitor config for : C:\\fo9rzin5\\dll\\748.ini\n2026-03-12 03:00:11,329 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor\n2026-03-12 03:00:11,344 [lib.api.process] INFO: 64-bit DLL to inject is C:\\fo9rzin5\\dll\\vExnnK.dll, loader C:\\fo9rzin5\\bin\\QvBkPcCr.exe\n2026-03-12 03:00:11,500 [root] DEBUG: Loader: Injecting process 748 with C:\\fo9rzin5\\dll\\vExnnK.dll.\n2026-03-12 03:00:11,867 [root] DEBUG: 748: Python path set to 'C:\\Users\\malware\\AppData\\Local\\Programs\\Python\\Python310-32'.\n2026-03-12 03:00:11,883 [root] DEBUG: 748: Disabling sleep skipping.\n2026-03-12 03:00:11,883 [root] DEBUG: 748: TLS secret dump mode enabled.\n2026-03-12 03:00:11,945 [root] DEBUG: 748: RtlInsertInvertedFunctionTable 0x00007FF9CA43BBEA, LdrpInvertedFunctionTableSRWLock 0x00007FF9CA5970F0\n2026-03-12 03:00:11,945 [root] DEBUG: 748: Monitor initialised: 64-bit capemon loaded in process 748 at 0x00007FF982320000, thread 5560, image base 0x00007FF7F2AF0000, stack from 0x0000000C69BB2000-0x0000000C69BC0000\n2026-03-12 03:00:11,945 [root] DEBUG: 748: Commandline: C:\\Windows\\system32\\lsass.exe\n2026-03-12 03:00:11,992 [root] DEBUG: 748: Hooked 5 out of 5 functions\n2026-03-12 03:00:11,992 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2026-03-12 03:00:11,992 [root] DEBUG: Successfully injected DLL C:\\fo9rzin5\\dll\\vExnnK.dll.\n2026-03-12 03:00:11,992 [lib.api.process] INFO: Injected into 64-bit \n2026-03-12 03:00:11,992 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2026-03-12 03:00:17,700 [root] INFO: Restarting WMI Service\n2026-03-12 03:00:19,809 [root] DEBUG: package modules.packages.batch does not support configure, ignoring\n2026-03-12 03:00:19,809 [root] WARNING: configuration error for package modules.packages.batch: error importing data.packages.batch: No module named 'data.packages'\n2026-03-12 03:00:19,809 [lib.core.compound] INFO: C:\\Users\\malware\\AppData\\Local\\Temp already exists, skipping creation\n2026-03-12 03:00:19,825 [lib.api.process] INFO: Successfully executed process from path \"C:\\Windows\\system32\\cmd.exe\" with arguments \"/c start /wait \"\" \"C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat\"\" with pid 4136\n2026-03-12 03:00:19,825 [lib.api.process] INFO: Monitor config for : C:\\fo9rzin5\\dll\\4136.ini\n2026-03-12 03:00:19,825 [lib.api.process] INFO: 32-bit DLL to inject is C:\\fo9rzin5\\dll\\UStemzU.dll, loader C:\\fo9rzin5\\bin\\TNeyeLA.exe\n2026-03-12 03:00:19,965 [root] DEBUG: Loader: Injecting process 4136 (thread 3820) with C:\\fo9rzin5\\dll\\UStemzU.dll.\n2026-03-12 03:00:19,965 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-03-12 03:00:19,965 [root] DEBUG: Successfully injected DLL C:\\fo9rzin5\\dll\\UStemzU.dll.\n2026-03-12 03:00:19,965 [lib.api.process] INFO: Injected into 32-bit \n2026-03-12 03:00:21,986 [lib.api.process] INFO: Successfully resumed \n2026-03-12 03:00:22,509 [root] DEBUG: 4136: Python path set to 'C:\\Users\\malware\\AppData\\Local\\Programs\\Python\\Python310-32'.\n2026-03-12 03:00:22,509 [root] DEBUG: 4136: Disabling sleep skipping.\n2026-03-12 03:00:22,509 [root] DEBUG: 4136: Dropped file limit defaulting to 100.\n2026-03-12 03:00:22,924 [root] DEBUG: 4136: YaraInit: Compiled 44 rule files\n2026-03-12 03:00:22,924 [root] DEBUG: 4136: YaraInit: Compiled rules saved to file C:\\fo9rzin5\\data\\yara\\capemon.yac\n2026-03-12 03:00:22,940 [root] DEBUG: 4136: YaraScan: Scanning 0x00540000, size 0x5a54a\n2026-03-12 03:00:22,940 [root] DEBUG: 4136: YaraScan hit: FindFixAndRun\n2026-03-12 03:00:22,940 [root] DEBUG: 4136: Monitor initialised: 32-bit capemon loaded in process 4136 at 0x73630000, thread 3820, image base 0x540000, stack from 0x2e83000-0x2f80000\n2026-03-12 03:00:22,940 [root] DEBUG: 4136: Commandline: \"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat\"\n2026-03-12 03:00:23,018 [root] DEBUG: 4136: hook_api: LdrpCallInitRoutine export address 0x776066C0 obtained via GetFunctionAddress\n2026-03-12 03:00:23,049 [root] WARNING: b'Unable to place hook on GetCommandLineA'\n2026-03-12 03:00:23,049 [root] DEBUG: 4136: set_hooks: Unable to hook GetCommandLineA\n2026-03-12 03:00:23,049 [root] WARNING: b'Unable to place hook on GetCommandLineW'\n2026-03-12 03:00:23,049 [root] DEBUG: 4136: set_hooks: Unable to hook GetCommandLineW\n2026-03-12 03:00:23,065 [root] DEBUG: 4136: Hooked 630 out of 632 functions\n2026-03-12 03:00:23,080 [root] DEBUG: 4136: set_hooks_exe: Hooked FindFixAndRun at 0x0054D170\n2026-03-12 03:00:23,080 [root] DEBUG: 4136: Syscall hook installed, syscall logging level 1\n2026-03-12 03:00:23,096 [root] DEBUG: 4136: RestoreHeaders: Restored original import table.\n2026-03-12 03:00:23,096 [root] INFO: Loaded monitor into process with pid 4136\n2026-03-12 03:00:23,096 [root] DEBUG: 4136: caller_dispatch: Added region at 0x00540000 to tracked regions list (ntdll::NtOpenThread returns to 0x005539B4, thread 3820).\n2026-03-12 03:00:23,096 [root] DEBUG: 4136: YaraScan: Scanning 0x00540000, size 0x5a54a\n2026-03-12 03:00:23,096 [root] DEBUG: 4136: ProcessImageBase: Main module image at 0x00540000 unmodified (entropy change 0.000000e+00)\n2026-03-12 03:00:23,158 [root] DEBUG: 4136: InstrumentationCallback: Added region at 0x76581D9C (base 0x76430000) to tracked regions list (thread 3820).\n2026-03-12 03:00:23,158 [root] DEBUG: 4136: ProcessTrackedRegion: Region at 0x76430000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\KernelBase.dll is in known range, skipping\n2026-03-12 03:00:23,174 [root] DEBUG: 4136: CreateProcessHandler: Injection info set for new process 5732: C:\\Windows\\system32\\cmd.exe, ImageBase: 0x00540000\n2026-03-12 03:00:23,190 [root] INFO: Announced 32-bit process name: cmd.exe pid: 5732\n2026-03-12 03:00:23,190 [lib.api.process] INFO: Monitor config for : C:\\fo9rzin5\\dll\\5732.ini\n2026-03-12 03:00:23,190 [lib.api.process] INFO: 32-bit DLL to inject is C:\\fo9rzin5\\dll\\UStemzU.dll, loader C:\\fo9rzin5\\bin\\TNeyeLA.exe\n2026-03-12 03:00:23,236 [root] DEBUG: Loader: Injecting process 5732 (thread 6772) with C:\\fo9rzin5\\dll\\UStemzU.dll.\n2026-03-12 03:00:23,236 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-03-12 03:00:23,236 [root] DEBUG: Successfully injected DLL C:\\fo9rzin5\\dll\\UStemzU.dll.\n2026-03-12 03:00:23,236 [lib.api.process] INFO: Injected into 32-bit \n2026-03-12 03:00:23,252 [root] DEBUG: 4136: ProcessTrackedRegion: Region at 0x76430000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\KernelBase.dll is in known range, skipping\n2026-03-12 03:00:23,480 [root] DEBUG: 5732: Python path set to 'C:\\Users\\malware\\AppData\\Local\\Programs\\Python\\Python310-32'.\n2026-03-12 03:00:23,495 [root] DEBUG: 5732: Disabling sleep skipping.\n2026-03-12 03:00:23,495 [root] DEBUG: 5732: Dropped file limit defaulting to 100.\n2026-03-12 03:00:23,495 [root] DEBUG: 5732: YaraInit: Compiled rules loaded from existing file C:\\fo9rzin5\\data\\yara\\capemon.yac\n2026-03-12 03:00:23,511 [root] DEBUG: 5732: YaraScan: Scanning 0x00540000, size 0x5a54a\n2026-03-12 03:00:23,511 [root] DEBUG: 5732: YaraScan hit: FindFixAndRun\n2026-03-12 03:00:23,511 [root] DEBUG: 5732: Monitor initialised: 32-bit capemon loaded in process 5732 at 0x73630000, thread 6772, image base 0x540000, stack from 0x2a03000-0x2b00000\n2026-03-12 03:00:23,511 [root] DEBUG: 5732: Commandline: C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat\"\n2026-03-12 03:00:23,558 [root] DEBUG: 5732: hook_api: LdrpCallInitRoutine export address 0x776066C0 obtained via GetFunctionAddress\n2026-03-12 03:00:23,589 [root] WARNING: b'Unable to place hook on GetCommandLineA'\n2026-03-12 03:00:23,589 [root] DEBUG: 5732: set_hooks: Unable to hook GetCommandLineA\n2026-03-12 03:00:23,605 [root] WARNING: b'Unable to place hook on GetCommandLineW'\n2026-03-12 03:00:23,605 [root] DEBUG: 5732: set_hooks: Unable to hook GetCommandLineW\n2026-03-12 03:00:23,620 [root] DEBUG: 5732: Hooked 630 out of 632 functions\n2026-03-12 03:00:23,620 [root] DEBUG: 5732: set_hooks_exe: Hooked FindFixAndRun at 0x0054D170\n2026-03-12 03:00:23,636 [root] DEBUG: 5732: Syscall hook installed, syscall logging level 1\n2026-03-12 03:00:23,636 [root] DEBUG: 5732: RestoreHeaders: Restored original import table.\n2026-03-12 03:00:23,636 [root] INFO: Loaded monitor into process with pid 5732\n2026-03-12 03:00:23,636 [root] DEBUG: 5732: caller_dispatch: Added region at 0x00540000 to tracked regions list (ntdll::NtOpenThread returns to 0x005539B4, thread 6772).\n2026-03-12 03:00:23,652 [root] DEBUG: 5732: YaraScan: Scanning 0x00540000, size 0x5a54a\n2026-03-12 03:00:23,652 [root] DEBUG: 5732: ProcessImageBase: Main module image at 0x00540000 unmodified (entropy change 0.000000e+00)\n2026-03-12 03:00:23,721 [root] DEBUG: 5732: InstrumentationCallback: Added region at 0x76581D9C (base 0x76430000) to tracked regions list (thread 6772).\n2026-03-12 03:00:23,721 [root] DEBUG: 5732: ProcessTrackedRegion: Region at 0x76430000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\KernelBase.dll is in known range, skipping\n2026-03-12 03:00:23,736 [root] DEBUG: 5732: DLL loaded at 0x73620000: C:\\Windows\\SYSTEM32\\cmdext (0xd000 bytes).\n2026-03-12 03:00:23,783 [root] DEBUG: 5732: DLL loaded at 0x774B0000: C:\\Windows\\System32\\shcore (0xc1000 bytes).\n2026-03-12 03:00:23,783 [root] DEBUG: 5732: DLL loaded at 0x735E0000: C:\\Windows\\System32\\srpapi (0x29000 bytes).\n2026-03-12 03:00:23,799 [root] DEBUG: 5732: DLL loaded at 0x73610000: C:\\Windows\\system32\\appidapi (0x10000 bytes).\n2026-03-12 03:00:23,799 [root] DEBUG: 5732: DLL loaded at 0x75310000: C:\\Windows\\System32\\bcryptprimitives (0x62000 bytes).\n2026-03-12 03:00:23,799 [root] DEBUG: 5732: DLL loaded at 0x73900000: C:\\Windows\\system32\\uxtheme (0x7f000 bytes).\n2026-03-12 03:00:23,924 [root] DEBUG: 5732: CreateProcessHandler: Injection info set for new process 7116: C:\\Windows\\system32\\ipconfig.exe, ImageBase: 0x00710000\n2026-03-12 03:00:23,924 [root] INFO: Announced 32-bit process name: ipconfig.exe pid: 7116\n2026-03-12 03:00:23,924 [lib.api.process] INFO: Monitor config for : C:\\fo9rzin5\\dll\\7116.ini\n2026-03-12 03:00:23,924 [lib.api.process] INFO: 32-bit DLL to inject is C:\\fo9rzin5\\dll\\UStemzU.dll, loader C:\\fo9rzin5\\bin\\TNeyeLA.exe\n2026-03-12 03:00:23,972 [root] DEBUG: Loader: Injecting process 7116 (thread 2792) with C:\\fo9rzin5\\dll\\UStemzU.dll.\n2026-03-12 03:00:23,987 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-03-12 03:00:23,987 [root] DEBUG: Successfully injected DLL C:\\fo9rzin5\\dll\\UStemzU.dll.\n2026-03-12 03:00:23,987 [lib.api.process] INFO: Injected into 32-bit \n2026-03-12 03:00:24,003 [root] DEBUG: 5732: ProcessTrackedRegion: Region at 0x76430000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\KernelBase.dll is in known range, skipping\n2026-03-12 03:00:24,144 [root] DEBUG: 7116: Python path set to 'C:\\Users\\malware\\AppData\\Local\\Programs\\Python\\Python310-32'.\n2026-03-12 03:00:24,144 [root] DEBUG: 7116: Dropped file limit defaulting to 100.\n2026-03-12 03:00:24,144 [root] DEBUG: 7116: Disabling sleep skipping.\n2026-03-12 03:00:24,144 [root] DEBUG: 7116: YaraInit: Compiled rules loaded from existing file C:\\fo9rzin5\\data\\yara\\capemon.yac\n2026-03-12 03:00:24,159 [root] DEBUG: 7116: YaraScan: Scanning 0x00710000, size 0xb3fe\n2026-03-12 03:00:24,159 [root] DEBUG: 7116: Monitor initialised: 32-bit capemon loaded in process 7116 at 0x73630000, thread 2792, image base 0x710000, stack from 0x2de4000-0x2df0000\n2026-03-12 03:00:24,159 [root] DEBUG: 7116: Commandline: ipconfig\n2026-03-12 03:00:24,191 [root] DEBUG: 7116: hook_api: LdrpCallInitRoutine export address 0x776066C0 obtained via GetFunctionAddress\n2026-03-12 03:00:24,237 [root] WARNING: b'Unable to place hook on GetCommandLineA'\n2026-03-12 03:00:24,237 [root] DEBUG: 7116: set_hooks: Unable to hook GetCommandLineA\n2026-03-12 03:00:24,237 [root] WARNING: b'Unable to place hook on GetCommandLineW'\n2026-03-12 03:00:24,237 [root] DEBUG: 7116: set_hooks: Unable to hook GetCommandLineW\n2026-03-12 03:00:24,269 [root] DEBUG: 7116: Hooked 630 out of 632 functions\n2026-03-12 03:00:24,269 [root] DEBUG: 7116: Syscall hook installed, syscall logging level 1\n2026-03-12 03:00:24,269 [root] DEBUG: 7116: RestoreHeaders: Restored original import table.\n2026-03-12 03:00:24,269 [root] INFO: Loaded monitor into process with pid 7116\n2026-03-12 03:00:24,284 [root] DEBUG: 7116: caller_dispatch: Added region at 0x00710000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0071590A, thread 2792).\n2026-03-12 03:00:24,284 [root] DEBUG: 7116: YaraScan: Scanning 0x00710000, size 0xb3fe\n2026-03-12 03:00:24,284 [root] DEBUG: 7116: ProcessImageBase: Main module image at 0x00710000 unmodified (entropy change 0.000000e+00)\n2026-03-12 03:00:24,300 [root] DEBUG: 7116: InstrumentationCallback: Added region at 0x76581D9C (base 0x76430000) to tracked regions list (thread 2792).\n2026-03-12 03:00:24,316 [root] DEBUG: 7116: ProcessTrackedRegion: Region at 0x76430000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\KernelBase.dll is in known range, skipping\n2026-03-12 03:00:24,409 [root] DEBUG: 7116: NtTerminateProcess hook: Attempting to dump process 7116\n2026-03-12 03:00:24,409 [root] DEBUG: 7116: DoProcessDump: Skipping process dump as code is identical on disk.\n2026-03-12 03:00:24,472 [root] INFO: Process with pid 7116 has terminated\n2026-03-12 03:01:22,775 [root] INFO: Analysis timeout hit, terminating analysis\n2026-03-12 03:01:22,775 [lib.api.process] INFO: Terminate event set for \n2026-03-12 03:01:22,775 [root] DEBUG: 4136: Terminate Event: Attempting to dump process 4136\n2026-03-12 03:01:22,775 [root] DEBUG: 4136: VerifyCodeSection: Executable code does not match, 0xc172 of 0x2df59 matching\n2026-03-12 03:01:22,775 [root] DEBUG: 4136: DoProcessDump: Code modification detected, dumping Imagebase at 0x00540000.\n2026-03-12 03:01:22,791 [root] DEBUG: 4136: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-03-12 03:01:22,791 [root] DEBUG: 4136: DumpProcess: Instantiating PeParser with address: 0x00540000.\n2026-03-12 03:01:22,791 [root] DEBUG: 4136: DumpProcess: Module entry point VA is 0x0055BD70.\n2026-03-12 03:01:22,916 [lib.common.results] INFO: Uploading file C:\\cviTrXvdj\\CAPE\\4136_330462211012432026 to procdump\\4c0faeea52c90d27fc245f77c8c05d5e36e4e5d3e667aca752d7f82d3425ca55; Size is 355840; Max size: 100000000\n2026-03-12 03:01:22,947 [root] DEBUG: 4136: DumpProcess: Module image dump success - dump size 0x56e00.\n2026-03-12 03:01:22,947 [lib.api.process] INFO: Termination confirmed for \n2026-03-12 03:01:22,947 [root] DEBUG: 4136: Terminate Event: monitor shutdown complete for process 4136\n2026-03-12 03:01:22,963 [root] INFO: Terminate event set for process 4136\n2026-03-12 03:01:22,963 [lib.api.process] INFO: Terminate event set for \n2026-03-12 03:01:22,963 [root] DEBUG: 5732: Terminate Event: Attempting to dump process 5732\n2026-03-12 03:01:22,978 [root] DEBUG: 5732: VerifyCodeSection: Executable code does not match, 0xc172 of 0x2df59 matching\n2026-03-12 03:01:22,978 [root] DEBUG: 5732: DoProcessDump: Code modification detected, dumping Imagebase at 0x00540000.\n2026-03-12 03:01:22,978 [root] DEBUG: 5732: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-03-12 03:01:22,978 [root] DEBUG: 5732: DumpProcess: Instantiating PeParser with address: 0x00540000.\n2026-03-12 03:01:22,994 [root] DEBUG: 5732: DumpProcess: Module entry point VA is 0x0055BD70.\n2026-03-12 03:01:23,072 [lib.common.results] INFO: Uploading file C:\\cviTrXvdj\\CAPE\\5732_407542211012432026 to procdump\\a319c40cd65e2aaf276b878cb491f56ec21ab307ee06aded3b10b328006e34e5; Size is 356864; Max size: 100000000\n2026-03-12 03:01:23,103 [root] DEBUG: 5732: DumpProcess: Module image dump success - dump size 0x57200.\n2026-03-12 03:01:23,119 [lib.api.process] INFO: Termination confirmed for \n2026-03-12 03:01:23,119 [root] DEBUG: 5732: Terminate Event: monitor shutdown complete for process 5732\n2026-03-12 03:01:23,119 [root] INFO: Terminate event set for process 5732\n2026-03-12 03:01:23,119 [root] INFO: Created shutdown mutex\n2026-03-12 03:01:24,166 [root] INFO: Shutting down package\n2026-03-12 03:01:24,244 [root] INFO: Stopping auxiliary modules\n2026-03-12 03:01:24,338 [root] INFO: Stopping auxiliary module: Browser\n2026-03-12 03:01:24,431 [root] INFO: Stopping auxiliary module: Human\n2026-03-12 03:01:25,245 [root] INFO: Stopping auxiliary module: Screenshots\n2026-03-12 03:01:25,245 [root] INFO: Finishing auxiliary modules\n2026-03-12 03:01:25,245 [root] INFO: Shutting down pipe server and dumping dropped files\n2026-03-12 03:01:25,245 [root] WARNING: Folder at path \"C:\\cviTrXvdj\\debugger\" does not exist, skipping\n2026-03-12 03:01:25,245 [root] WARNING: Folder at path \"C:\\cviTrXvdj\\tlsdump\" does not exist, skipping\n2026-03-12 03:01:25,245 [root] INFO: Analysis completed\n",
"errors": []
},
"network": {
"pcap_sha256": "f78fa29f055a613e0d66fe0ba07ac57efb155ec79595cf5beced7dd36c38c4df",
"hosts": [
{
"ip": "151.205.4.185",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
80
]
},
{
"ip": "151.205.4.91",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
80
]
},
{
"ip": "151.205.0.39",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
80
]
}
],
"domains": [],
"tcp": [],
"udp": [
{
"src": "192.168.55.101",
"sport": 57620,
"dst": "192.168.55.1",
"dport": 53,
"offset": 19328,
"time": 35.023598194122314
},
{
"src": "192.168.55.101",
"sport": 50436,
"dst": "192.168.55.1",
"dport": 53,
"offset": 20401,
"time": 37.09961819648743
}
],
"icmp": [],
"http": [],
"dns": [],
"smtp": [],
"irc": [],
"dead_hosts": [
[
"151.205.4.91",
80
],
[
"192.168.55.101",
49875
],
[
"151.205.4.185",
80
],
[
"192.168.55.101",
49877
],
[
"48.211.71.197",
443
],
[
"192.168.55.101",
49880
],
[
"192.168.55.101",
49881
],
[
"192.168.55.101",
49882
],
[
"192.168.55.101",
49883
],
[
"192.168.55.101",
49885
],
[
"192.168.55.101",
49886
],
[
"192.168.55.101",
49887
],
[
"192.168.55.101",
49888
],
[
"192.168.55.101",
49891
],
[
"192.168.55.101",
49892
],
[
"192.168.55.101",
49893
],
[
"192.168.55.101",
49894
],
[
"192.168.55.101",
49895
],
[
"192.168.55.101",
49896
],
[
"192.168.55.101",
49897
],
[
"192.168.55.101",
49898
],
[
"192.168.55.101",
49899
],
[
"192.168.55.101",
49900
],
[
"192.168.55.101",
49901
],
[
"192.168.55.101",
49902
],
[
"192.168.55.101",
49903
],
[
"192.168.55.101",
49904
],
[
"192.168.55.101",
49905
],
[
"192.168.55.101",
49906
],
[
"192.168.55.101",
49907
],
[
"192.168.55.101",
49908
],
[
"192.168.55.101",
49909
],
[
"192.168.55.101",
49910
],
[
"192.168.55.101",
49911
],
[
"192.168.55.101",
49912
],
[
"192.168.55.101",
49913
],
[
"192.168.55.101",
49914
],
[
"192.168.55.101",
49915
],
[
"192.168.55.101",
49916
],
[
"192.168.55.101",
49917
],
[
"192.168.55.101",
49918
],
[
"192.168.55.101",
49919
],
[
"192.168.55.101",
49920
]
]
},
"url_analysis": {},
"procmemory": [],
"signatures": [
{
"name": "queries_locale_api",
"description": "Queries the computer locale (possible geofencing)",
"categories": [
"location_discovery",
"geofence"
],
"severity": 1,
"weight": 1,
"confidence": 100,
"references": [],
"data": [
{
"type": "call",
"pid": 4136,
"cid": 83
},
{
"type": "call",
"pid": 5732,
"cid": 84
},
{
"type": "call",
"pid": 7116,
"cid": 43
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "antivm_network_adapters",
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"categories": [
"anti-vm"
],
"severity": 1,
"weight": 1,
"confidence": 40,
"references": [],
"data": [
{
"type": "call",
"pid": 7116,
"cid": 93
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "stealth_timeout",
"description": "Possible date expiration check, exits too soon after checking local time",
"categories": [
"stealth"
],
"severity": 1,
"weight": 1,
"confidence": 40,
"references": [],
"data": [
{
"process": "ipconfig.exe, PID 7116"
},
{
"type": "call",
"pid": 7116,
"cid": 403
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "language_check_registry",
"description": "Checks system language via registry key (possible geofencing)",
"categories": [
"location_discovery",
"geofence"
],
"severity": 1,
"weight": 1,
"confidence": 100,
"references": [],
"data": [
{
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US"
},
{
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "uses_windows_utilities",
"description": "Uses Windows utilities for basic functionality",
"categories": [
"command",
"lateral"
],
"severity": 2,
"weight": 1,
"confidence": 80,
"references": [],
"data": [
{
"command": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\malware\\AppData\\Local\\Temp\\test_win.bat\""
},
{
"command": "ipconfig"
}
],
"new_data": [],
"alert": false,
"families": []
}
],
"malscore": 2.2,
"ttps": [
{
"signature": "uses_windows_utilities",
"ttps": [
"T1202"
],
"mbcs": [
"OB0009",
"E1203.m06"
]
}
],
"malstatus": null
}