{
"statistics": {
"processing": [
{
"name": "CAPE",
"time": 2.743
},
{
"name": "AnalysisInfo",
"time": 0.009
},
{
"name": "BehaviorAnalysis",
"time": 0.027
},
{
"name": "Debug",
"time": 0.001
},
{
"name": "NetworkAnalysis",
"time": 0.04
},
{
"name": "UrlAnalysis",
"time": 0.0
},
{
"name": "script_log_processing",
"time": 0.0
},
{
"name": "ProcessMemory",
"time": 0.0
}
],
"signatures": [
{
"name": "packer_themida",
"time": 0.0
},
{
"name": "stealth_network",
"time": 0.0
},
{
"name": "disable_driver_via_blocklist",
"time": 0.0
},
{
"name": "disable_driver_via_hvcidisallowedimages",
"time": 0.0
},
{
"name": "disable_hypervisor_protected_code_integrity",
"time": 0.0
},
{
"name": "pendingfilerenameoperations_Operations",
"time": 0.0
},
{
"name": "anomalous_deletefile",
"time": 0.0
},
{
"name": "antiav_360_libs",
"time": 0.0
},
{
"name": "antiav_ahnlab_libs",
"time": 0.0
},
{
"name": "antiav_avast_libs",
"time": 0.0
},
{
"name": "antiav_bitdefender_libs",
"time": 0.0
},
{
"name": "antiav_bullguard_libs",
"time": 0.0
},
{
"name": "antiav_emsisoft_libs",
"time": 0.0
},
{
"name": "antiav_qurb_libs",
"time": 0.0
},
{
"name": "antiav_servicestop",
"time": 0.0
},
{
"name": "antiav_apioverride_libs",
"time": 0.0
},
{
"name": "antidebug_guardpages",
"time": 0.0
},
{
"name": "antiav_nthookengine_libs",
"time": 0.0
},
{
"name": "antidebug_outputdebugstring",
"time": 0.0
},
{
"name": "antidebug_setunhandledexceptionfilter",
"time": 0.0
},
{
"name": "antidebug_windows",
"time": 0.0
},
{
"name": "antisandbox_cuckoocrash",
"time": 0.0
},
{
"name": "antisandbox_foregroundwindows",
"time": 0.0
},
{
"name": "mouse_movement_detect",
"time": 0.0
},
{
"name": "antisandbox_sboxie_libs",
"time": 0.0
},
{
"name": "antisandbox_script_timer",
"time": 0.0
},
{
"name": "antisandbox_sleep",
"time": 0.0
},
{
"name": "antisandbox_sunbelt_libs",
"time": 0.0
},
{
"name": "antisandbox_unhook",
"time": 0.0
},
{
"name": "hardware_id_profiling",
"time": 0.0
},
{
"name": "antivm_directory_objects",
"time": 0.0
},
{
"name": "antivm_display",
"time": 0.0
},
{
"name": "antivm_generic_disk",
"time": 0.0
},
{
"name": "antivm_generic_scsi",
"time": 0.0
},
{
"name": "antivm_generic_services",
"time": 0.0
},
{
"name": "antivm_generic_system",
"time": 0.0
},
{
"name": "antivm_checks_available_memory",
"time": 0.0
},
{
"name": "detect_virtualization_via_recent_files",
"time": 0.0
},
{
"name": "antivm_vbox_libs",
"time": 0.0
},
{
"name": "antivm_vmware_events",
"time": 0.0
},
{
"name": "antivm_vmware_libs",
"time": 0.0
},
{
"name": "antivm_wmi",
"time": 0.0
},
{
"name": "api_spamming",
"time": 0.0
},
{
"name": "api_uuidfromstringa",
"time": 0.0
},
{
"name": "bcdedit_command",
"time": 0.0
},
{
"name": "bootkit",
"time": 0.0
},
{
"name": "direct_hdd_access",
"time": 0.0
},
{
"name": "physical_drive_access",
"time": 0.0
},
{
"name": "potential_overwrite_mbr",
"time": 0.0
},
{
"name": "read_file_raw_disk_access",
"time": 0.0
},
{
"name": "suspicious_iocontrol_codes",
"time": 0.0
},
{
"name": "browser_needed",
"time": 0.0
},
{
"name": "amsi_enumeration",
"time": 0.0
},
{
"name": "regsvr32_squiblydoo_dll_load",
"time": 0.0
},
{
"name": "suspicious_ntdll_disk_load",
"time": 0.0
},
{
"name": "direct_syscall_evasion",
"time": 0.0
},
{
"name": "unbacked_syscall_execution",
"time": 0.0
},
{
"name": "uac_bypass_cmstp",
"time": 0.0
},
{
"name": "uac_bypass_eventvwr",
"time": 0.0
},
{
"name": "uac_bypass_windows_Backup",
"time": 0.0
},
{
"name": "privilege_elevation_check",
"time": 0.0
},
{
"name": "dotnet_code_compile",
"time": 0.0
},
{
"name": "queries_computer_name",
"time": 0.0
},
{
"name": "queries_user_name",
"time": 0.0
},
{
"name": "creates_largekey",
"time": 0.0
},
{
"name": "creates_nullvalue",
"time": 0.0
},
{
"name": "access_windows_passwords_vault",
"time": 0.0
},
{
"name": "dump_lsa_via_windows_error_reporting",
"time": 0.0
},
{
"name": "lsass_credential_dumping",
"time": 0.0
},
{
"name": "critical_process",
"time": 0.0
},
{
"name": "query_fips_reconnaissance",
"time": 0.0
},
{
"name": "cryptopool_domains",
"time": 0.0
},
{
"name": "dead_connect",
"time": 0.0
},
{
"name": "dead_link",
"time": 0.0
},
{
"name": "debugs_self",
"time": 0.0
},
{
"name": "decoy_document",
"time": 0.0
},
{
"name": "decoy_image",
"time": 0.0
},
{
"name": "deletes_consolehost_history",
"time": 0.0
},
{
"name": "deletes_shadow_copies",
"time": 0.0
},
{
"name": "deletes_system_state_backup",
"time": 0.0
},
{
"name": "dep_bypass",
"time": 0.0
},
{
"name": "dep_disable",
"time": 0.0
},
{
"name": "disables_mappeddrives_autodisconnect",
"time": 0.0
},
{
"name": "disables_wfp",
"time": 0.0
},
{
"name": "add_windows_defender_exclusions",
"time": 0.0
},
{
"name": "mountpoints_volume_discovery",
"time": 0.0
},
{
"name": "dll_load_uncommon_file_types",
"time": 0.0
},
{
"name": "dllload_suspicious_directory",
"time": 0.0
},
{
"name": "document_script_exe_drop",
"time": 0.0
},
{
"name": "driver_load",
"time": 0.0
},
{
"name": "install_kernel_driver_service",
"time": 0.0
},
{
"name": "malformed_dll_loading",
"time": 0.0
},
{
"name": "dynamic_function_loading",
"time": 0.0
},
{
"name": "encrypted_ioc",
"time": 0.0
},
{
"name": "registers_vectored_exception_handler",
"time": 0.0
},
{
"name": "exec_crash",
"time": 0.0
},
{
"name": "process_creation_suspicious_location",
"time": 0.0
},
{
"name": "exploit_getbasekerneladdress",
"time": 0.0
},
{
"name": "exploit_gethaldispatchtable",
"time": 0.0
},
{
"name": "exploit_heapspray",
"time": 0.0
},
{
"name": "downloads_from_filehosting",
"time": 0.0
},
{
"name": "generic_phish",
"time": 0.0
},
{
"name": "http_request",
"time": 0.0
},
{
"name": "infostealer_browser",
"time": 0.0
},
{
"name": "infostealer_browser_password",
"time": 0.0
},
{
"name": "infostealer_cookies",
"time": 0.0
},
{
"name": "captures_screenshot",
"time": 0.0
},
{
"name": "injection_createremotethread",
"time": 0.0
},
{
"name": "creates_suspended_process",
"time": 0.0
},
{
"name": "injection_explorer",
"time": 0.0
},
{
"name": "injection_module_stomping_probing",
"time": 0.0
},
{
"name": "injection_needextension",
"time": 0.0
},
{
"name": "injection_network_traffic",
"time": 0.0
},
{
"name": "injection_runpe",
"time": 0.0
},
{
"name": "injection_rwx",
"time": 0.0
},
{
"name": "section_mapping_injection",
"time": 0.0
},
{
"name": "injection_themeinitapihook",
"time": 0.0
},
{
"name": "apc_injection",
"time": 0.0
},
{
"name": "resumethread_remote_process",
"time": 0.0
},
{
"name": "injection_write_exe_process",
"time": 0.0
},
{
"name": "injection_write_process",
"time": 0.0
},
{
"name": "internet_dropper",
"time": 0.0
},
{
"name": "interprocess_comms_mutex",
"time": 0.0
},
{
"name": "interprocess_comms_named_pipe",
"time": 0.0
},
{
"name": "interprocess_comms_shared_memory",
"time": 0.0
},
{
"name": "escalate_privilege_via_named_pipe",
"time": 0.0
},
{
"name": "ipc_namedpipe",
"time": 0.0
},
{
"name": "js_phish",
"time": 0.0
},
{
"name": "js_suspicious_redirect",
"time": 0.0
},
{
"name": "execute_binary_via_internet_explorer_exporter",
"time": 0.0
},
{
"name": "execute_binary_via_run_exe_helper_utility",
"time": 0.0
},
{
"name": "execute_ps_via_syncappvpublishingserver",
"time": 0.0
},
{
"name": "malicious_dynamic_function_loading",
"time": 0.0
},
{
"name": "reads_memory_remote_process",
"time": 0.0
},
{
"name": "unbacked_exception_filter",
"time": 0.0
},
{
"name": "unbacked_process_mitigation_alteration",
"time": 0.0
},
{
"name": "thread_unbacked_memory",
"time": 0.0
},
{
"name": "unbacked_api_resolution",
"time": 0.0
},
{
"name": "unbacked_dotnet_execution",
"time": 0.0
},
{
"name": "unbacked_library_load",
"time": 0.0
},
{
"name": "unbacked_memory_apc_execution",
"time": 0.0
},
{
"name": "unbacked_memory_protection_alteration",
"time": 0.0
},
{
"name": "unbacked_mutex_creation",
"time": 0.0
},
{
"name": "unbacked_process_creation",
"time": 0.0
},
{
"name": "unbacked_veh_registration",
"time": 0.0
},
{
"name": "unbacked_com_instantiation",
"time": 0.0
},
{
"name": "unbacked_crypto_operations",
"time": 0.0
},
{
"name": "unbacked_delay_execution",
"time": 0.0
},
{
"name": "unbacked_file_dropping",
"time": 0.0
},
{
"name": "unbacked_process_enumeration",
"time": 0.0
},
{
"name": "unbacked_registry_modification",
"time": 0.0
},
{
"name": "unbacked_service_manipulation",
"time": 0.0
},
{
"name": "unbacked_token_manipulation",
"time": 0.0
},
{
"name": "unbacked_wmi_execution",
"time": 0.0
},
{
"name": "unbacked_bind_shell",
"time": 0.0
},
{
"name": "unbacked_dns_resolution",
"time": 0.0
},
{
"name": "unbacked_memory_network_connection",
"time": 0.0
},
{
"name": "unbacked_named_pipe_creation",
"time": 0.0
},
{
"name": "unbacked_useragent_retrieval",
"time": 0.0
},
{
"name": "mimics_filetime",
"time": 0.0
},
{
"name": "amsi_bypass_via_com_registry",
"time": 0.0
},
{
"name": "access_auto_logons_via_registry",
"time": 0.0
},
{
"name": "access_boot_key_via_registry",
"time": 0.0
},
{
"name": "create_suspicious_lnk_files",
"time": 0.0
},
{
"name": "credential_access_via_windows_credential_history",
"time": 0.0
},
{
"name": "dll_hijacking_via_microsoft_exchange",
"time": 0.0
},
{
"name": "dll_hijacking_via_waas_medic_svc_com_typelib",
"time": 0.0
},
{
"name": "execute_file_downloaded_via_openssh",
"time": 0.0
},
{
"name": "execute_safe_mode_from_suspicious_process",
"time": 0.0
},
{
"name": "execute_scripts_via_microsoft_management_console",
"time": 0.0
},
{
"name": "execute_suspicious_processes_via_windows_mssql_service",
"time": 0.0
},
{
"name": "execution_from_self_extracting_archive",
"time": 0.0
},
{
"name": "ip_address_discovery_via_trusted_program",
"time": 0.0
},
{
"name": "load_dll_via_control_panel",
"time": 0.0
},
{
"name": "network_connection_via_suspicious_process",
"time": 0.0
},
{
"name": "potential_location_discovery_via_unusual_process",
"time": 0.0
},
{
"name": "store_executable_registry",
"time": 0.0
},
{
"name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent",
"time": 0.0
},
{
"name": "suspicious_java_execution_via_win_scripts",
"time": 0.0
},
{
"name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File",
"time": 0.0
},
{
"name": "uses_restart_manager_for_suspicious_activities",
"time": 0.0
},
{
"name": "modify_desktop_wallpaper",
"time": 0.0
},
{
"name": "modify_zoneid_ads",
"time": 0.0
},
{
"name": "move_file_on_reboot",
"time": 0.0
},
{
"name": "multiple_useragents",
"time": 0.0
},
{
"name": "network_anomaly",
"time": 0.0
},
{
"name": "network_bind",
"time": 0.0
},
{
"name": "etherhiding_smart_contract_call",
"time": 0.0
},
{
"name": "network_cnc_https_archive",
"time": 0.0
},
{
"name": "network_cnc_https_free_webhosting",
"time": 0.0
},
{
"name": "network_cnc_https_generic",
"time": 0.0
},
{
"name": "network_cnc_https_interactsh",
"time": 0.0
},
{
"name": "network_cnc_https_opensource",
"time": 0.0
},
{
"name": "network_cnc_https_pastesite",
"time": 0.0
},
{
"name": "network_cnc_https_payload",
"time": 0.0
},
{
"name": "network_cnc_https_serviceinterface",
"time": 0.0
},
{
"name": "network_cnc_https_socialmedia",
"time": 0.0
},
{
"name": "network_cnc_https_telegram",
"time": 0.0
},
{
"name": "network_cnc_https_tempstorage",
"time": 0.0
},
{
"name": "network_cnc_https_temp_urldns",
"time": 0.0
},
{
"name": "network_cnc_https_urlshortener",
"time": 0.0
},
{
"name": "network_cnc_https_useragent",
"time": 0.0
},
{
"name": "network_cnc_smtps_exfil",
"time": 0.0
},
{
"name": "network_cnc_smtps_generic",
"time": 0.0
},
{
"name": "network_dns_idn",
"time": 0.0
},
{
"name": "network_dns_suspicious_querytype",
"time": 0.0
},
{
"name": "network_dns_tunneling_request",
"time": 0.0
},
{
"name": "network_document_http",
"time": 0.0
},
{
"name": "explorer_http",
"time": 0.0
},
{
"name": "network_fake_useragent",
"time": 0.0
},
{
"name": "legitimate_domain_abuse",
"time": 0.0
},
{
"name": "suspicious_communication_trusted_site",
"time": 0.0
},
{
"name": "network_tor",
"time": 0.0
},
{
"name": "office_com_load",
"time": 0.0
},
{
"name": "office_dotnet_load",
"time": 0.0
},
{
"name": "office_mshtml_load",
"time": 0.0
},
{
"name": "office_vb_load",
"time": 0.0
},
{
"name": "office_wmi_load",
"time": 0.0
},
{
"name": "office_cve2017_11882",
"time": 0.0
},
{
"name": "office_cve2017_11882_network",
"time": 0.0
},
{
"name": "office_cve_2021_40444",
"time": 0.0
},
{
"name": "office_cve_2021_40444_m2",
"time": 0.0
},
{
"name": "office_flash_load",
"time": 0.0
},
{
"name": "office_postscript",
"time": 0.0
},
{
"name": "office_suspicious_processes",
"time": 0.0
},
{
"name": "office_write_exe",
"time": 0.0
},
{
"name": "decompress_exe",
"time": 0.0
},
{
"name": "persistence_via_autodial_dll_registry",
"time": 0.0
},
{
"name": "persistence_autorun",
"time": 0.0
},
{
"name": "persistence_autorun_tasks",
"time": 0.0
},
{
"name": "persistence_bootexecute",
"time": 0.0
},
{
"name": "persistence_registry_script",
"time": 0.0
},
{
"name": "powershell_network_connection",
"time": 0.0
},
{
"name": "powershell_download",
"time": 0.0
},
{
"name": "powershell_request",
"time": 0.0
},
{
"name": "createtoolhelp32snapshot_module_enumeration",
"time": 0.0
},
{
"name": "enumerates_running_processes",
"time": 0.0
},
{
"name": "process_interest",
"time": 0.0
},
{
"name": "process_needed",
"time": 0.0
},
{
"name": "ransomware_iocp_asynchronous_encryption",
"time": 0.0
},
{
"name": "kernel_crypto_driver_abuse",
"time": 0.0
},
{
"name": "mass_data_encryption",
"time": 0.0
},
{
"name": "ransomware_extension_hijack",
"time": 0.0
},
{
"name": "mass_file_modification_access",
"time": 0.0
},
{
"name": "ransomware_attribute_stripping",
"time": 0.0
},
{
"name": "ransomware_file_modifications",
"time": 0.0
},
{
"name": "mass_ransom_note_drop",
"time": 0.0
},
{
"name": "ransomware_message",
"time": 0.0
},
{
"name": "reads_self",
"time": 0.0
},
{
"name": "recon_beacon",
"time": 0.0
},
{
"name": "recon_programs",
"time": 0.0
},
{
"name": "recon_systeminfo",
"time": 0.0
},
{
"name": "accesses_recyclebin",
"time": 0.0
},
{
"name": "script_created_process",
"time": 0.0
},
{
"name": "script_network_activity",
"time": 0.0
},
{
"name": "suspicious_js_script",
"time": 0.0
},
{
"name": "javascript_timer",
"time": 0.0
},
{
"name": "secure_login_phishing",
"time": 0.0
},
{
"name": "securityxploded_modules",
"time": 0.0
},
{
"name": "get_clipboard_data",
"time": 0.0
},
{
"name": "sets_autoconfig_url",
"time": 0.0
},
{
"name": "spoofs_procname",
"time": 0.0
},
{
"name": "stack_pivot",
"time": 0.0
},
{
"name": "stack_pivot_file_created",
"time": 0.0
},
{
"name": "stack_pivot_process_create",
"time": 0.0
},
{
"name": "set_clipboard_data",
"time": 0.0
},
{
"name": "stealth_childproc",
"time": 0.0
},
{
"name": "stealth_file",
"time": 0.0
},
{
"name": "stealth_system_procname",
"time": 0.0
},
{
"name": "stealth_timeout",
"time": 0.0
},
{
"name": "stealth_window",
"time": 0.0
},
{
"name": "queries_keyboard_layout",
"time": 0.0
},
{
"name": "queries_locale_api",
"time": 0.0
},
{
"name": "terminates_remote_process",
"time": 0.0
},
{
"name": "uiautomationcore_load",
"time": 0.0
},
{
"name": "user_enum",
"time": 0.0
},
{
"name": "mmc_dll_script_load",
"time": 0.0
},
{
"name": "mmc_dotnet_load",
"time": 0.0
},
{
"name": "virus",
"time": 0.0
},
{
"name": "webmail_phish",
"time": 0.0
},
{
"name": "persists_dev_util",
"time": 0.0
},
{
"name": "spawns_dev_util",
"time": 0.0
},
{
"name": "alters_windows_utility",
"time": 0.0
},
{
"name": "overwrites_accessibility_utility",
"time": 0.0
},
{
"name": "Potential_Lateral_Movement_Via_SMBEXEC",
"time": 0.0
},
{
"name": "potential_WebShell_Via_ScreenConnectServer",
"time": 0.0
},
{
"name": "uses_Microsoft_HTML_Help_Executable",
"time": 0.0
},
{
"name": "wiper_zeroedbytes",
"time": 0.0
},
{
"name": "wmi_create_process",
"time": 0.0
},
{
"name": "wmi_script_process",
"time": 0.0
},
{
"name": "antianalysis_tls_section",
"time": 0.0
},
{
"name": "antivirus_clamav",
"time": 0.0
},
{
"name": "antivirus_virustotal",
"time": 0.0
},
{
"name": "bad_certs",
"time": 0.0
},
{
"name": "bad_ssl_certs",
"time": 0.0
},
{
"name": "banker_zeus_p2p",
"time": 0.0
},
{
"name": "banker_zeus_url",
"time": 0.0
},
{
"name": "binary_yara",
"time": 0.0
},
{
"name": "bot_athenahttp",
"time": 0.0
},
{
"name": "bot_dirtjumper",
"time": 0.0
},
{
"name": "bot_drive",
"time": 0.0
},
{
"name": "bot_drive2",
"time": 0.0
},
{
"name": "bot_madness",
"time": 0.0
},
{
"name": "byod_loldrivers_match",
"time": 0.0
},
{
"name": "byod_novel_driver",
"time": 0.0
},
{
"name": "byod_post_load_exploitation",
"time": 0.0
},
{
"name": "byod_driver_service_install",
"time": 0.0
},
{
"name": "com_spawned_process",
"time": 0.0
},
{
"name": "phishing_kit_detected",
"time": 0.0
},
{
"name": "family_proxyback",
"time": 0.0
},
{
"name": "flare_capa_antianalysis",
"time": 0.0
},
{
"name": "flare_capa_collection",
"time": 0.0
},
{
"name": "flare_capa_communication",
"time": 0.0
},
{
"name": "flare_capa_compiler",
"time": 0.0
},
{
"name": "flare_capa_datamanipulation",
"time": 0.0
},
{
"name": "flare_capa_executable",
"time": 0.0
},
{
"name": "flare_capa_hostinteraction",
"time": 0.0
},
{
"name": "flare_capa_impact",
"time": 0.0
},
{
"name": "flare_capa_lib",
"time": 0.0
},
{
"name": "flare_capa_linking",
"time": 0.0
},
{
"name": "flare_capa_loadcode",
"time": 0.0
},
{
"name": "flare_capa_malwarefamily",
"time": 0.0
},
{
"name": "flare_capa_nursery",
"time": 0.0
},
{
"name": "flare_capa_persistence",
"time": 0.0
},
{
"name": "flare_capa_runtime",
"time": 0.0
},
{
"name": "flare_capa_targeting",
"time": 0.0
},
{
"name": "threatfox",
"time": 0.0
},
{
"name": "log4shell",
"time": 0.0
},
{
"name": "mimics_extension",
"time": 0.0
},
{
"name": "network_country_distribution",
"time": 0.0
},
{
"name": "network_cnc_http",
"time": 0.001
},
{
"name": "network_ip_exe",
"time": 0.0
},
{
"name": "network_dga",
"time": 0.0
},
{
"name": "network_dga_fraunhofer",
"time": 0.0
},
{
"name": "network_dyndns",
"time": 0.0
},
{
"name": "network_excessive_udp",
"time": 0.0
},
{
"name": "network_http",
"time": 0.0
},
{
"name": "network_icmp",
"time": 0.0
},
{
"name": "network_irc",
"time": 0.0
},
{
"name": "network_open_proxy",
"time": 0.0
},
{
"name": "network_questionable_http_path",
"time": 0.0
},
{
"name": "network_questionable_https_path",
"time": 0.0
},
{
"name": "network_smtp",
"time": 0.0
},
{
"name": "network_torgateway",
"time": 0.0
},
{
"name": "origin_langid",
"time": 0.0
},
{
"name": "origin_resource_langid",
"time": 0.0
},
{
"name": "overlay",
"time": 0.0
},
{
"name": "pe_deep_entrypoint",
"time": 0.0
},
{
"name": "packer_unknown_pe_section_name",
"time": 0.0
},
{
"name": "packer_aspack",
"time": 0.0
},
{
"name": "packer_aspirecrypt",
"time": 0.0
},
{
"name": "packer_bedsprotector",
"time": 0.0
},
{
"name": "packer_confuser",
"time": 0.0
},
{
"name": "packer_enigma",
"time": 0.0
},
{
"name": "packer_entropy",
"time": 0.0
},
{
"name": "packer_mpress",
"time": 0.0
},
{
"name": "packer_nate",
"time": 0.0
},
{
"name": "packer_nspack",
"time": 0.0
},
{
"name": "packer_smartassembly",
"time": 0.0
},
{
"name": "packer_spices",
"time": 0.0
},
{
"name": "packer_themida",
"time": 0.0
},
{
"name": "packer_titan",
"time": 0.0
},
{
"name": "packer_upx",
"time": 0.0
},
{
"name": "packer_vmprotect",
"time": 0.0
},
{
"name": "packer_yoda",
"time": 0.0
},
{
"name": "pdf_annot_urls_checker",
"time": 0.0
},
{
"name": "pe_cert_invalid_signature",
"time": 0.0
},
{
"name": "pe_cert_self_signed",
"time": 0.0
},
{
"name": "pe_cert_suspicious_issuer",
"time": 0.0
},
{
"name": "polymorphic",
"time": 0.0
},
{
"name": "punch_plus_plus_pcres",
"time": 0.0
},
{
"name": "procmem_yara",
"time": 0.0
},
{
"name": "recon_checkip",
"time": 0.0
},
{
"name": "sigma_events",
"time": 0.0
},
{
"name": "static_authenticode",
"time": 0.0
},
{
"name": "invalid_authenticode_signature",
"time": 0.0
},
{
"name": "static_dotnet_anomaly",
"time": 0.0
},
{
"name": "static_java",
"time": 0.0
},
{
"name": "static_pdf",
"time": 0.0
},
{
"name": "contains_pe_overlay",
"time": 0.0
},
{
"name": "static_pe_anomaly",
"time": 0.0
},
{
"name": "pe_compile_timestomping",
"time": 0.0
},
{
"name": "static_pe_pdbpath",
"time": 0.0
},
{
"name": "static_rat_config",
"time": 0.0
},
{
"name": "static_versioninfo_anomaly",
"time": 0.0
},
{
"name": "browser_credential_theft_headless",
"time": 0.0
},
{
"name": "suricata_alert",
"time": 0.0
},
{
"name": "suspicious_html_body",
"time": 0.0
},
{
"name": "suspicious_html_name",
"time": 0.0
},
{
"name": "suspicious_html_title",
"time": 0.0
},
{
"name": "volatility_devicetree_1",
"time": 0.0
},
{
"name": "volatility_handles_1",
"time": 0.0
},
{
"name": "volatility_ldrmodules_1",
"time": 0.0
},
{
"name": "volatility_ldrmodules_2",
"time": 0.0
},
{
"name": "volatility_malfind_1",
"time": 0.0
},
{
"name": "volatility_malfind_2",
"time": 0.0
},
{
"name": "volatility_modscan_1",
"time": 0.0
},
{
"name": "volatility_svcscan_1",
"time": 0.0
},
{
"name": "volatility_svcscan_2",
"time": 0.0
},
{
"name": "volatility_svcscan_3",
"time": 0.0
},
{
"name": "whois_create",
"time": 0.0
},
{
"name": "accesses_mailslot",
"time": 0.0
},
{
"name": "accesses_netlogon_regkey",
"time": 0.0
},
{
"name": "accesses_public_folder",
"time": 0.0
},
{
"name": "accesses_sysvol",
"time": 0.0
},
{
"name": "writes_sysvol",
"time": 0.0
},
{
"name": "adds_admin_user",
"time": 0.0
},
{
"name": "adds_user",
"time": 0.0
},
{
"name": "overwrites_admin_password",
"time": 0.0
},
{
"name": "antianalysis_detectfile",
"time": 0.003
},
{
"name": "antianalysis_detectreg",
"time": 0.001
},
{
"name": "modify_attachment_manager",
"time": 0.0
},
{
"name": "antiav_detectfile",
"time": 0.005
},
{
"name": "antiav_detectreg",
"time": 0.005
},
{
"name": "antiav_srp",
"time": 0.0
},
{
"name": "antiav_whitespace",
"time": 0.0
},
{
"name": "antidebug_devices",
"time": 0.001
},
{
"name": "antiemu_windefend",
"time": 0.0
},
{
"name": "antiemu_wine_reg",
"time": 0.0
},
{
"name": "antisandbox_cuckoo_files",
"time": 0.0
},
{
"name": "antisandbox_fortinet_files",
"time": 0.0
},
{
"name": "antisandbox_joe_anubis_files",
"time": 0.0
},
{
"name": "antisandbox_sboxie_mutex",
"time": 0.0
},
{
"name": "antisandbox_sunbelt_files",
"time": 0.0
},
{
"name": "antisandbox_threattrack_files",
"time": 0.0
},
{
"name": "antivm_bochs_keys",
"time": 0.0
},
{
"name": "antivm_generic_bios",
"time": 0.0
},
{
"name": "antivm_generic_diskreg",
"time": 0.0
},
{
"name": "antivm_hyperv_keys",
"time": 0.0
},
{
"name": "antivm_parallels_keys",
"time": 0.0
},
{
"name": "antivm_recentdocs",
"time": 0.0
},
{
"name": "antivm_vbox_devices",
"time": 0.0
},
{
"name": "antivm_vbox_files",
"time": 0.002
},
{
"name": "antivm_vbox_keys",
"time": 0.001
},
{
"name": "antivm_vmware_devices",
"time": 0.0
},
{
"name": "antivm_vmware_files",
"time": 0.001
},
{
"name": "antivm_vmware_keys",
"time": 0.0
},
{
"name": "antivm_vmware_mutexes",
"time": 0.0
},
{
"name": "antivm_vpc_files",
"time": 0.0
},
{
"name": "antivm_vpc_keys",
"time": 0.0
},
{
"name": "antivm_vpc_mutex",
"time": 0.0
},
{
"name": "antivm_xen_keys",
"time": 0.0
},
{
"name": "ketrican_regkeys",
"time": 0.0
},
{
"name": "bitcoin_opencl",
"time": 0.0
},
{
"name": "enumerates_physical_drives",
"time": 0.0
},
{
"name": "bot_russkill",
"time": 0.0
},
{
"name": "browser_addon",
"time": 0.0
},
{
"name": "chromium_browser_extension_directory",
"time": 0.0
},
{
"name": "browser_helper_object",
"time": 0.0
},
{
"name": "browser_security",
"time": 0.001
},
{
"name": "browser_startpage",
"time": 0.0
},
{
"name": "executes_headless_browser",
"time": 0.0
},
{
"name": "suspicious_browser_arguments",
"time": 0.0
},
{
"name": "ie_disables_process_tab",
"time": 0.0
},
{
"name": "odbcconf_bypass",
"time": 0.0
},
{
"name": "squiblydoo_bypass",
"time": 0.0
},
{
"name": "squiblytwo_bypass",
"time": 0.0
},
{
"name": "bypass_chromium_protection",
"time": 0.0
},
{
"name": "bypass_firewall",
"time": 0.0
},
{
"name": "checks_uac_status",
"time": 0.0
},
{
"name": "uac_bypass_cmstpcom",
"time": 0.0
},
{
"name": "uac_bypass_delegateexecute_sdclt",
"time": 0.0
},
{
"name": "uac_bypass_fodhelper",
"time": 0.0
},
{
"name": "cape_extracted_content",
"time": 0.0
},
{
"name": "clears_logs",
"time": 0.0
},
{
"name": "cmdline_obfuscation",
"time": 0.0
},
{
"name": "cmdline_switches",
"time": 0.0
},
{
"name": "cmdline_terminate",
"time": 0.0
},
{
"name": "cmdline_forfiles_wildcard",
"time": 0.0
},
{
"name": "cmdline_http_link",
"time": 0.0
},
{
"name": "cmdline_long_string",
"time": 0.0
},
{
"name": "cmdline_reversed_http_link",
"time": 0.0
},
{
"name": "long_commandline",
"time": 0.0
},
{
"name": "powershell_renamed_commandline",
"time": 0.0
},
{
"name": "copies_self",
"time": 0.0
},
{
"name": "credwiz_credentialaccess",
"time": 0.0
},
{
"name": "enables_wdigest",
"time": 0.0
},
{
"name": "vaultcmd_credentialaccess",
"time": 0.0
},
{
"name": "file_credential_store_access",
"time": 0.0
},
{
"name": "file_credential_store_write",
"time": 0.0
},
{
"name": "kerberos_credential_access_via_rubeus",
"time": 0.0
},
{
"name": "registry_credential_dumping",
"time": 0.0
},
{
"name": "registry_credential_store_access",
"time": 0.0
},
{
"name": "registry_lsa_secrets_access",
"time": 0.0
},
{
"name": "comsvcs_credentialdump",
"time": 0.0
},
{
"name": "cryptomining_stratum_command",
"time": 0.0
},
{
"name": "deepfreeze_mutex",
"time": 0.0
},
{
"name": "deletes_executed_files",
"time": 0.0
},
{
"name": "disables_app_launch",
"time": 0.0
},
{
"name": "disables_auto_app_termination",
"time": 0.0
},
{
"name": "disables_appv_virtualization",
"time": 0.0
},
{
"name": "disables_backups",
"time": 0.001
},
{
"name": "disables_browser_warn",
"time": 0.001
},
{
"name": "disables_context_menus",
"time": 0.0
},
{
"name": "disables_cpl_disable",
"time": 0.0
},
{
"name": "disables_crashdumps",
"time": 0.0
},
{
"name": "disables_event_logging",
"time": 0.0
},
{
"name": "disables_folder_options",
"time": 0.0
},
{
"name": "disables_notificationcenter",
"time": 0.0
},
{
"name": "disables_power_options",
"time": 0.001
},
{
"name": "disables_restore_default_state",
"time": 0.0
},
{
"name": "disables_run_command",
"time": 0.0
},
{
"name": "disables_smartscreen",
"time": 0.0
},
{
"name": "disables_startmenu_search",
"time": 0.0
},
{
"name": "disables_system_restore",
"time": 0.0
},
{
"name": "disables_uac",
"time": 0.0
},
{
"name": "disables_wer",
"time": 0.0
},
{
"name": "disables_windows_defender",
"time": 0.0
},
{
"name": "disables_windows_defender_logging",
"time": 0.0
},
{
"name": "removes_windows_defender_contextmenu",
"time": 0.0
},
{
"name": "removes_windows_defender_updates",
"time": 0.0
},
{
"name": "windows_defender_powershell",
"time": 0.0
},
{
"name": "disables_windows_file_protection",
"time": 0.0
},
{
"name": "disables_windowsupdate",
"time": 0.0
},
{
"name": "disables_winfirewall",
"time": 0.0
},
{
"name": "folder_enumeration",
"time": 0.0
},
{
"name": "discover_registry_mount_points",
"time": 0.0
},
{
"name": "adfind_domain_enumeration",
"time": 0.0
},
{
"name": "domain_enumeration_commands",
"time": 0.0
},
{
"name": "driver_filtermanager",
"time": 0.0
},
{
"name": "dropper",
"time": 0.0
},
{
"name": "dll_archive_execution",
"time": 0.0
},
{
"name": "lnk_archive_execution",
"time": 0.0
},
{
"name": "script_archive_execution",
"time": 0.0
},
{
"name": "excel4_macro_urls",
"time": 0.0
},
{
"name": "escalate_privilege_via_ntlm_relay",
"time": 0.0
},
{
"name": "spooler_access",
"time": 0.0
},
{
"name": "spooler_svc_start",
"time": 0.0
},
{
"name": "mapped_drives_uac",
"time": 0.0
},
{
"name": "hides_recycle_bin_icon",
"time": 0.0
},
{
"name": "infostealer_bitcoin",
"time": 0.003
},
{
"name": "infostealer_ftp",
"time": 0.003
},
{
"name": "infostealer_im",
"time": 0.002
},
{
"name": "infostealer_mail",
"time": 0.002
},
{
"name": "Evade_Execution_Via_ASPNet_Compiler",
"time": 0.0
},
{
"name": "Evade_Execute_Via_DeviceCredentialDeployment",
"time": 0.0
},
{
"name": "Evade_Execution_Via_Filter_Manager_Control",
"time": 0.0
},
{
"name": "Evade_Execution_Via_Intel_GFXDownloadWrapper",
"time": 0.0
},
{
"name": "execute_binary_via_appvlp",
"time": 0.0
},
{
"name": "execute_binary_via_pcalua",
"time": 0.0
},
{
"name": "Execute_Binary_Via_OpenSSH",
"time": 0.0
},
{
"name": "execute_binary_via_pcalua",
"time": 0.0
},
{
"name": "Execute_Binary_Via_PesterPSModule",
"time": 0.0
},
{
"name": "Execute_Binary_Via_ScriptRunner",
"time": 0.0
},
{
"name": "execute_binary_via_ttdinject",
"time": 0.0
},
{
"name": "Execute_Binary_Via_VisualStudioLiveShare",
"time": 0.0
},
{
"name": "Execute_Msiexec_Via_Explorer",
"time": 0.0
},
{
"name": "execute_remote_msi",
"time": 0.0
},
{
"name": "execute_suspicious_powershell_via_runscripthelper",
"time": 0.0
},
{
"name": "execute_suspicious_powershell_via_sqlps",
"time": 0.0
},
{
"name": "Indirect_Command_Execution_Via_ConsoleWindowHost",
"time": 0.0
},
{
"name": "Perform_Malicious_Activities_Via_Headless_Browser",
"time": 0.0
},
{
"name": "Register_DLL_Via_CertOC",
"time": 0.0
},
{
"name": "Register_DLL_Via_MSIEXEC",
"time": 0.0
},
{
"name": "Register_DLL_Via_Odbcconf",
"time": 0.0
},
{
"name": "Scriptlet_Proxy_Execution_Via_Pubprn",
"time": 0.0
},
{
"name": "ie_martian_children",
"time": 0.0
},
{
"name": "office_martian_children",
"time": 0.0
},
{
"name": "mimics_icon",
"time": 0.0
},
{
"name": "masquerade_process_name",
"time": 0.005
},
{
"name": "mimikatz_modules",
"time": 0.0
},
{
"name": "ms_office_cmd_rce",
"time": 0.0
},
{
"name": "mount_copy_to_webdav_share",
"time": 0.0
},
{
"name": "potential_protocol_tunneling_via_legit_utilities",
"time": 0.0
},
{
"name": "potential_protocol_tunneling_via_qemu",
"time": 0.0
},
{
"name": "suspicious_execution_via_dotnet_remoting",
"time": 0.0
},
{
"name": "modify_certs",
"time": 0.0
},
{
"name": "dotnet_clr_usagelog_regkeys",
"time": 0.0
},
{
"name": "modify_hostfile",
"time": 0.0
},
{
"name": "modify_oem_information",
"time": 0.0
},
{
"name": "modify_security_center_warnings",
"time": 0.0
},
{
"name": "modify_uac_prompt",
"time": 0.0
},
{
"name": "network_dns_blockchain",
"time": 0.0
},
{
"name": "network_dns_opennic",
"time": 0.0
},
{
"name": "network_dns_paste_site",
"time": 0.0
},
{
"name": "network_dns_reverse_proxy",
"time": 0.0
},
{
"name": "network_dns_temp_file_storage",
"time": 0.0
},
{
"name": "network_dns_temp_urldns",
"time": 0.0
},
{
"name": "network_dns_url_shortener",
"time": 0.0
},
{
"name": "network_dns_doh_tls",
"time": 0.0
},
{
"name": "suspicious_tld",
"time": 0.0
},
{
"name": "network_tor_service",
"time": 0.0
},
{
"name": "office_code_page",
"time": 0.0
},
{
"name": "office_addinloading",
"time": 0.0
},
{
"name": "office_perfkey",
"time": 0.0
},
{
"name": "office_macro",
"time": 0.0
},
{
"name": "changes_trust_center_settings",
"time": 0.0
},
{
"name": "disables_vba_trust_access",
"time": 0.0
},
{
"name": "office_macro_autoexecution",
"time": 0.0
},
{
"name": "office_macro_ioc",
"time": 0.0
},
{
"name": "office_macro_malicious_prediction",
"time": 0.0
},
{
"name": "office_macro_suspicious",
"time": 0.0
},
{
"name": "rtf_aslr_bypass",
"time": 0.0
},
{
"name": "rtf_anomaly_characterset",
"time": 0.0
},
{
"name": "rtf_anomaly_version",
"time": 0.0
},
{
"name": "rtf_embedded_content",
"time": 0.0
},
{
"name": "rtf_embedded_office_file",
"time": 0.0
},
{
"name": "rtf_exploit_static",
"time": 0.0
},
{
"name": "office_security",
"time": 0.0
},
{
"name": "accesses_office_username",
"time": 0.0
},
{
"name": "office_anomalous_feature",
"time": 0.0
},
{
"name": "office_dde_command",
"time": 0.0
},
{
"name": "packer_armadillo_mutex",
"time": 0.0
},
{
"name": "packer_armadillo_regkey",
"time": 0.0
},
{
"name": "persistence_ads",
"time": 0.0
},
{
"name": "persistence_safeboot",
"time": 0.0
},
{
"name": "persistence_ifeo",
"time": 0.0
},
{
"name": "persistence_silent_process_exit",
"time": 0.0
},
{
"name": "persistence_rdp_registry",
"time": 0.0
},
{
"name": "persistence_rdp_shadowing",
"time": 0.0
},
{
"name": "persistence_service",
"time": 0.0
},
{
"name": "persistence_shim_database",
"time": 0.0
},
{
"name": "powershell_scriptblock_logging",
"time": 0.0
},
{
"name": "powershell_command_suspicious",
"time": 0.0
},
{
"name": "powershell_history_save_mod",
"time": 0.0
},
{
"name": "powershell_renamed",
"time": 0.0
},
{
"name": "powershell_reversed",
"time": 0.0
},
{
"name": "powershell_variable_obfuscation",
"time": 0.0
},
{
"name": "prevents_safeboot",
"time": 0.0
},
{
"name": "cmdline_process_discovery",
"time": 0.0
},
{
"name": "ransomware_extensions_generic",
"time": 0.0
},
{
"name": "ransomware_extensions_known",
"time": 0.003
},
{
"name": "ransomware_files",
"time": 0.005
},
{
"name": "ransomware_recyclebin",
"time": 0.0
},
{
"name": "ransomware_revil_regkey",
"time": 0.0
},
{
"name": "reads_password_database",
"time": 0.0
},
{
"name": "recon_fingerprint",
"time": 0.0
},
{
"name": "rdptcp_key",
"time": 0.0
},
{
"name": "uses_rdp_clip",
"time": 0.0
},
{
"name": "uses_remote_desktop_session",
"time": 0.0
},
{
"name": "removes_networking_icon",
"time": 0.0
},
{
"name": "removes_pinned_programs",
"time": 0.0
},
{
"name": "removes_security_maintenance_icon",
"time": 0.0
},
{
"name": "removes_startmenu_defaults",
"time": 0.001
},
{
"name": "removes_username_startmenu",
"time": 0.0
},
{
"name": "sniffer_winpcap",
"time": 0.0
},
{
"name": "spreading_autoruninf",
"time": 0.0
},
{
"name": "stealth_hidden_extension",
"time": 0.0
},
{
"name": "stealth_hiddenreg",
"time": 0.0
},
{
"name": "stealth_hide_notifications",
"time": 0.0
},
{
"name": "stealth_webhistory",
"time": 0.0
},
{
"name": "sysinternals_psexec",
"time": 0.0
},
{
"name": "sysinternals_tools",
"time": 0.0
},
{
"name": "language_check_registry",
"time": 0.0
},
{
"name": "tampers_etw",
"time": 0.0
},
{
"name": "lsa_tampering",
"time": 0.0
},
{
"name": "tampers_powershell_logging",
"time": 0.0
},
{
"name": "territorial_disputes_sigs",
"time": 0.003
},
{
"name": "uses_adfind",
"time": 0.0
},
{
"name": "uses_ms_protocol",
"time": 0.0
},
{
"name": "owa_web_shell_files",
"time": 0.0
},
{
"name": "web_shell_files",
"time": 0.0
},
{
"name": "web_shell_processes",
"time": 0.0
},
{
"name": "dotnet_csc_build",
"time": 0.0
},
{
"name": "mavinject_lolbin",
"time": 0.0
},
{
"name": "multiple_explorer_instances",
"time": 0.0
},
{
"name": "script_tool_executed",
"time": 0.0
},
{
"name": "suspicious_certutil_use",
"time": 0.0
},
{
"name": "suspicious_command_tools",
"time": 0.001
},
{
"name": "suspicious_mpcmdrun_use",
"time": 0.0
},
{
"name": "suspicious_ping_use",
"time": 0.0
},
{
"name": "uses_powershell_copyitem",
"time": 0.0
},
{
"name": "uses_windows_utilities",
"time": 0.002
},
{
"name": "uses_windows_utilities_appcmd",
"time": 0.0
},
{
"name": "uses_windows_utilities_csvde_ldifde",
"time": 0.0
},
{
"name": "uses_windows_utilities_cipher",
"time": 0.0
},
{
"name": "uses_windows_utilities_clickonce",
"time": 0.0
},
{
"name": "uses_windows_utilities_curl",
"time": 0.0
},
{
"name": "uses_windows_utilities_dsquery",
"time": 0.0
},
{
"name": "uses_windows_utilities_esentutl",
"time": 0.0
},
{
"name": "uses_windows_utilities_finger",
"time": 0.0
},
{
"name": "uses_windows_utilities_mode",
"time": 0.0
},
{
"name": "uses_windows_utilities_ntdsutil",
"time": 0.0
},
{
"name": "uses_windows_utilities_nltest",
"time": 0.0
},
{
"name": "uses_windows_utilities_setx",
"time": 0.0
},
{
"name": "uses_windows_utilities_xcopy",
"time": 0.0
},
{
"name": "wmic_command_suspicious",
"time": 0.0
},
{
"name": "scrcons_wmi_script_consumer",
"time": 0.0
}
],
"reporting": [
{
"name": "BinGraph",
"time": 0.0
}
]
},
"target": {
"category": "file",
"file": {
"name": "testt.bat",
"path": "/opt/CAPEv2/storage/binaries/6aea9b9f8ad777ea38fc5e0ba596459f14dd2e99d7445efbb58e88b120958d31",
"guest_paths": "",
"size": 443,
"crc32": "244EF07D",
"md5": "5eeca5cd9cdcf7b4f1bb39293a917d32",
"sha1": "760a2e7fc6afc2bac32929e5863239598d4520b6",
"sha256": "6aea9b9f8ad777ea38fc5e0ba596459f14dd2e99d7445efbb58e88b120958d31",
"sha512": "5c4e0cf42022586333c00caed2ed66a5121c11a8cb8a1f49c5d1422ceb671cd65a1d291062f11cd943feedd19908a599c4159c070c8b528d9799d9dd06af3edb",
"rh_hash": null,
"ssdeep": "12:Ci4pvXL+V0VscTZrR0mrSbtTtD7Kqlrud:CiYPLvMDbtTtPyd",
"type": "ASCII text, with very long lines (443), with no line terminators",
"yara": [],
"cape_yara": [],
"clamav": [],
"tlsh": "T187F0F1E759DA6CDD3FD3DC73B124780B1D93482D15DD85B6B16CAAAC23C9C52221C1D2",
"sha3_384": "62b8eb1eb5a97b60bb4a156e91c7668abf06e84898b08bd2a55f861cf91bcaa7ea8f2afa977b2a48716304f6ec0c1c5c",
"yara_hash": "68e243d1d9aeb1f1e94057af9823c58e140832514ed3e7b46b181bf94e4e12ce",
"options_hash": "b7818797508282994ea72592ded64b364725c9400a38d418189579c94a89385e",
"data": "start \"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe --disable-features=RendererCodeIntegrity \"https://accounts.google.com/lifecycle/steps/signup/name?continue=https://www.google.com/&dsh=S1728256510:1782835636577168&flowEntry=SignUp&flowName=GlifWebSignIn&gae=cb-none&hl=en&ifkv=AcDsRvw1CVsatnVW1CzmzWxQ1V9pF_Jx6qr7YX2pv5dF3ZGMdZRyE_qxOcHoXhFXQ1a1udHRcipYUQ&TL=ADCchmYjO8KuFmMZ51Nd2dCy-QPkK3MUbwYbQkB1CTnKBntpStl5cylS4R6mzDzE\" \"",
"strings": [],
"virustotal": {
"error": true,
"msg": "Unable to complete connection to VirusTotal. Status code: 429"
},
"executed_tools": [
"msi_extract",
"overlay",
"kixtart_extract",
"vbe_extract",
"batch_extract",
"UnAutoIt_extract",
"UPX_unpack",
"RarSFX_extract",
"Inno_extract",
"SevenZip_unpack",
"de4dot_deobfuscate",
"eziriz_deobfuscate",
"office_one"
],
"cape_type_code": 0,
"cape_type": ""
}
},
"procdump": [
{
"name": "c1f45c0a3f5ca544584ee7c67ac1c6836867e503969d246fee58443e574a9acc",
"path": "/opt/CAPEv2/storage/analyses/113/procdump/c1f45c0a3f5ca544584ee7c67ac1c6836867e503969d246fee58443e574a9acc",
"guest_paths": "1;?C:\\Windows\\System32\\cmd.exe;?C:\\Windows\\System32\\cmd.exe;?",
"size": 403456,
"crc32": "3CCD79BE",
"md5": "68b823c9097b886aacc725559598848c",
"sha1": "6e56866ba30f6161c2ba0b9c7a178348db5d1a6a",
"sha256": "c1f45c0a3f5ca544584ee7c67ac1c6836867e503969d246fee58443e574a9acc",
"sha512": "813687a9f5c5fd8ee5a6e7ae199c0806daf805b9dca54be943072f3199ee6adf9b51a7cb1b175ad899bb252cd289edffcd6767cf0294be987a48a1dac2c7fc5f",
"rh_hash": null,
"ssdeep": "6144:U4WA1BVBxDfQWKORSqY4zOcmpdlc3RJdmt3AGl7m:31BJkWvSqY4zvmjOBJIxAK",
"type": "PE32+ executable (console) x86-64, for MS Windows",
"yara": [],
"cape_yara": [],
"clamav": [],
"tlsh": "T15B84395D33D928A5D52382399943C236C6B27C346321A6EF12D0DD7B6F23AE9B634F05",
"sha3_384": "b48a67d060bb90b98748671c51c8eb4957ea6d9f728437949b216e9252bd7d6ca68c78456bedf3d4995f3c8b3b316ff1",
"yara_hash": "68e243d1d9aeb1f1e94057af9823c58e140832514ed3e7b46b181bf94e4e12ce",
"options_hash": "b7818797508282994ea72592ded64b364725c9400a38d418189579c94a89385e",
"pe": {
"guest_signers": {
"aux_sha1": null,
"aux_timestamp": null,
"aux_valid": false,
"aux_error": true,
"aux_error_desc": "File not found: C:\\Users\\Rajesh\\AppData\\Local\\Temp\\113\\testt.bat",
"aux_signers": []
},
"digital_signers": [],
"imagebase": "0x7ff60e030000",
"entrypoint": "0x00018f50",
"ep_bytes": "4883ec28e82b0600004883c428e91efe",
"peid_signatures": null,
"reported_checksum": "0x00000000",
"actual_checksum": "0x0006e2d0",
"osversion": "10.0",
"machine_type": "IMAGE_FILE_MACHINE_AMD64",
"pdbpath": "cmd.pdb",
"imports": {},
"exported_dll_name": null,
"exports": [],
"dirents": [
{
"name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
"virtual_address": "0x10000000",
"size": "0x00000351"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
"virtual_address": "0x0005d000",
"size": "0x000084f8"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
"virtual_address": "0x00059000",
"size": "0x00002334"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
"virtual_address": "0x00066000",
"size": "0x0000030c"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
"virtual_address": "0x00035a60",
"size": "0x00000054"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_TLS",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
"virtual_address": "0x00032c10",
"size": "0x00000118"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_IAT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
"virtual_address": "0x00039d20",
"size": "0x00000080"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
"virtual_address": "0x00000000",
"size": "0x00000000"
}
],
"sections": [
{
"name": ".text",
"raw_address": "0x00000400",
"virtual_address": "0x00001000",
"virtual_size": "0x00031000",
"size_of_data": "0x00031000",
"characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x60000020",
"entropy": "6.31"
},
{
"name": ".rdata",
"raw_address": "0x00031400",
"virtual_address": "0x00032000",
"virtual_size": "0x0000b000",
"size_of_data": "0x0000a600",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
"characteristics_raw": "0xc0000040",
"entropy": "5.15"
},
{
"name": ".data",
"raw_address": "0x0003ba00",
"virtual_address": "0x0003d000",
"virtual_size": "0x0001c000",
"size_of_data": "0x0001be00",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
"characteristics_raw": "0xc0000040",
"entropy": "0.30"
},
{
"name": ".pdata",
"raw_address": "0x00057800",
"virtual_address": "0x00059000",
"virtual_size": "0x00003000",
"size_of_data": "0x00002400",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x40000040",
"entropy": "5.49"
},
{
"name": ".didat",
"raw_address": "0x00059c00",
"virtual_address": "0x0005c000",
"virtual_size": "0x00001000",
"size_of_data": "0x00000200",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
"characteristics_raw": "0xc0000040",
"entropy": "1.30"
},
{
"name": ".rsrc",
"raw_address": "0x00059e00",
"virtual_address": "0x0005d000",
"virtual_size": "0x00009000",
"size_of_data": "0x00008600",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x40000040",
"entropy": "4.36"
},
{
"name": ".reloc",
"raw_address": "0x00062400",
"virtual_address": "0x00066000",
"virtual_size": "0x00001000",
"size_of_data": "0x00000400",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x42000040",
"entropy": "4.68"
}
],
"overlay": null,
"resources": [
{
"name": "MUI",
"offset": "0x00065420",
"size": "0x000000d8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.68"
},
{
"name": "RT_ICON",
"offset": "0x0005d778",
"size": "0x00000668",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.65"
},
{
"name": "RT_ICON",
"offset": "0x0005dde0",
"size": "0x000002e8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.44"
},
{
"name": "RT_ICON",
"offset": "0x0005e0c8",
"size": "0x00000128",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.17"
},
{
"name": "RT_ICON",
"offset": "0x0005e1f0",
"size": "0x00000ea8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.06"
},
{
"name": "RT_ICON",
"offset": "0x0005f098",
"size": "0x000008a8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.07"
},
{
"name": "RT_ICON",
"offset": "0x0005f940",
"size": "0x00000568",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "0.71"
},
{
"name": "RT_ICON",
"offset": "0x0005fea8",
"size": "0x0000169e",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "7.85"
},
{
"name": "RT_ICON",
"offset": "0x00061548",
"size": "0x000025a8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.88"
},
{
"name": "RT_ICON",
"offset": "0x00063af0",
"size": "0x000010a8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.97"
},
{
"name": "RT_ICON",
"offset": "0x00064b98",
"size": "0x00000468",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.17"
},
{
"name": "RT_GROUP_ICON",
"offset": "0x00065000",
"size": "0x00000092",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.90"
},
{
"name": "RT_VERSION",
"offset": "0x00065098",
"size": "0x00000388",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "3.50"
},
{
"name": "RT_MANIFEST",
"offset": "0x0005d350",
"size": "0x00000428",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "5.00"
}
],
"versioninfo": [
{
"name": "CompanyName",
"value": "Microsoft Corporation"
},
{
"name": "FileDescription",
"value": "Windows Command Processor"
},
{
"name": "FileVersion",
"value": "10.0.19041.746 (WinBuild.160101.0800)"
},
{
"name": "InternalName",
"value": "cmd"
},
{
"name": "LegalCopyright",
"value": "© Microsoft Corporation. All rights reserved."
},
{
"name": "OriginalFilename",
"value": "Cmd.Exe"
},
{
"name": "ProductName",
"value": "Microsoft® Windows® Operating System"
},
{
"name": "ProductVersion",
"value": "10.0.19041.746"
},
{
"name": "Translation",
"value": "0x0409 0x04b0"
}
],
"imphash": "",
"timestamp": "2090-01-16 09:26:43",
"icon": "iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAACp0lEQVR4nO2ZPW/TQByHH8cpUyWQ2NjKd+AjNK1U1ZGQkBjZYWNhQAIEUmFgKuwsSEhISElV0TeoVFUsnSLUgS6J2nRJA0mTpknss8OQ2thN3Z7Tl5ORH+lyf/sud7+fz3e+OJCQkBBrNIDnL2ceaZo2q1qMDJ1O+/HMqxfvAAvopQE0TZu9e+++MlHvP+QAePgge+bxl8+f3gIfgRpgpq9a7Em4QmWPgetAC78BPZWiUS2f2Vkv+BG5/Hidftav2/PlbvJz89ZtN0wDKTfon0nrzLx+868TXwMnxbLJcZyB2M2FENi2jRACy7K83DRN2u02nU4Hy7I8TT9/lQYuRir0MsUEz8Dx4YoLp45APp8nn8+Hli8sLFy4oKiEGsjlchiGgWEYzM3Neefn5+cD9RYXFy9PnQRSc2B6etqLp6amvHhychKApaWlC5Ylz7kn8cTEBADLy8vnFjMMUgZOu4UAMpkMACsrKxckSx7vOXB8Ecpms94EDruF/IyPjwdGYXV1NbTT0dFRAG/Nd9F1HV3XA88LaQPVWmOg0DCMMxsAME2TWq3G2NgYzWaTRqOBpmlS3/Vj2za2bYeWV37vD5wbei/UbDapVCrs7e1Rr9eHbebcRDIghGBnZ4dSqcTh4eFlaYqElIGDgwOKxSK7u7sIIS5bUyRONSCEYGtri2KxKDWhVOBbhYLLULlcZnNzk263e+WiojAwAo7jUCgU2N7eVqEnMgEDpmmysbFBtVpVpScyngHH6bG2tkar1VKpJzLeVkLYduzEw//0iyyuJAZUkxhQTWJANYkB1cTeQGA3+u1HQZWOoUkD7NfrmfXvX9W9XovAs6dP7gBdQMDRf2TACHDjKI2oEBaBLvAHaAC2a0CjPxrXAF2RMFkEfRPhL5ASEhLiw1+s5V9Z8HnusgAAAABJRU5ErkJggg==",
"icon_hash": "00d152c1523e56c619d25f6c96c21a41",
"icon_fuzzy": "e55641fba39eaff4ee89e5fc0af8f337",
"icon_dhash": "a2ae7a370101a3c0"
},
"data": null,
"strings": [
"fD9,0",
"t$0L+",
"kernelbase.dll",
".data$zz",
"Windows Command Processor",
"NtOpenFile",
"CMD Internal Error %s",
" />",
"api-ms-win-core-processenvironment-l1-1-0.dll",
"fD9,Vu",
"H+|$@H",
"WriteFile",
"qsort",
"ReleaseMutex",
"DISABLEEXTENSIONS",
"|$ E3",
"WaitForSingleObject",
"value too large",
"!KD4)#",
"no such device",
"H+L$xH",
"t$ WAVAWH",
"fD9t$\"",
"ntdll.dll",
"lstrcmpiW",
"ProductVersion",
"n(D9-c",
"A^A\\]",
"` AUAVAWH",
"fD9d$P",
".data$pr00",
"PathCompletionChar",
"f9H\\u",
"\\$dD9L$T",
"bad allocation",
"Se%ae`",
"DPATH",
"fA9",
"HcT$8H",
"D$0E3",
"8*uUH",
"D$ I;",
"fD9",
"@A_A^A]A\\_^[",
"s AWH",
"NTDLL.DLL",
"u4D95N",
"no such file or directory",
".bss$zz",
"D$(@P",
"DEFINED",
"D9f$t",
"D$@E3",
"CopyFileExW",
"OpenThread",
"f9,Hu",
"WaitForSingleObjectEx",
"_cexit",
"%02d%s%02d%s",
"HcD$`H",
"",
"operation_in_progress",
"not a stream",
"fD9/u",
"u0D9d$ ",
"Fxf9(u-3",
"UWATAVAWH",
"D8L$ ",
"OpenSemaphoreW",
"fE9DE",
"A_A^A\\_]",
"UpdateProcThreadAttribute",
"SetConsoleTextAttribute",
"9T$0u0",
" A^A]A\\",
"CreateSemaphoreExW",
"not_connected",
"fD9lC",
"msvcrt.dll",
"fA94Ru",
"f90t7",
"fD9tG",
" ",
"PROMPT",
"DeleteFileW",
"t$ WH",
"fE9LE",
"DeviceIoControl",
"timed_out",
"FormatMessageW",
"generic",
" ",
"Application",
"wcscmp",
"KxfD91",
"invalid string position",
"ext-ms-win-shell-shell32-l1-2-0",
"_wcsupr",
"10.0.19041.746 (WinBuild.160101.0800)",
"L$PH3",
"SHIFT",
" Windows",
"t$ UWATAVAWH",
" A^A\\_",
".data$brc",
"_setjmp",
"D8=is",
"|$pA;",
"D$0L;",
"Microsoft",
" A_A^_",
"FileTimeToSystemTime",
" A^_^",
"_errno",
"LoadLibraryExW",
"HcD$ ",
"%WINDOWS_COPYRIGHT%",
"DISABLEDELAYEDEXPANSION",
"CompanyName",
"fB9",
"too many symbolic link levels",
"SUWATAUAVAWH",
"WriteConsoleW",
"file too large",
".data$dk00$brc",
"`A_A^A]A\\_^]",
"_pipe",
"TITLE",
"NtOpenThreadToken",
"D$Pf9",
"D9-4m",
">1tUA",
"FOR /?",
"fD94Bu",
"fE9$@u",
"GetCurrentDirectoryW",
"fD9|]",
"D9d$x",
"FindClose",
"SetConsoleCtrlHandler",
"BELOWNORMAL",
"RegSetValueExW",
"protocol not supported",
"__C_specific_handler",
"FtFfD9",
" /K %s",
"CloseHandle",
"fD9",
"fE9",
" [..]",
"%s %s%s ",
"VAVAWH",
"EnterCriticalSection",
"tokens=",
"f;D$`",
"%d.%d.%05d.%d",
"ENABLEDELAYEDEXPANSION",
"SetErrorMode",
"|$TfD",
"GetVolumePathNameW",
"invalid argument",
"cCBR_p",
"CSVFS",
"x UATAVH",
"\\$PE3",
"L$xHc",
"L$095",
"bad address",
"_pclose",
"address_family_not_supported",
"|$pI+",
"connection_aborted",
"NeedCurrentDirectoryForExePathW",
"SUVWATAUAVAWH",
".CRT$XCZ",
"ReadProcessMemory",
"lstrcmpW",
"resource deadlock would occur",
"NtFsControlFile",
"Msg:[%ws] ",
"HcD$PM",
"%hs(%d) tid(%x) %08X %ws",
"WAUAVH",
"api-ms-win-core-processtopology-l1-1-0.dll",
"System",
"((((&&(&&&(&(&&&&&&(((#&&###",
"FlushFileBuffers",
"RtlDisownModuleHeapAllocation",
"??3@YAXPEAX@Z",
".rsrc",
"ferror",
"\\$ UVWATAUAVAWH",
"()|&=,;\"",
"7fD90",
"QueryFullProcessImageNameWStub",
"GetDateFormatW",
"RENAME",
"fD9$Hu",
"=,;+/[] ",
"GetLocaleInfoW",
"udHRcipYUQ",
".didat$5",
"MultiByteToWideChar",
"?what@exception@@UEBAPEBDXZ",
";|$Xt",
"InitializeCriticalSection",
"f9<^u",
".gfids",
"AfD9!u",
" true",
"protocol error",
"ReadConsoleW",
"GetModuleFileNameW",
"fdpnxsatz",
"|$[fD9?",
"onecore\\internal\\sdk\\inc\\wil\\opensource\\wil\\resource.h",
"fD9,8",
"NtQueryVolumeInformationFile",
"4qaCCRCCCB",
"tRHcL$xI",
"A^_^][",
"fD9$Cu",
" &()[]{}^=;!%'+,`~",
"@USVWATAVAWH",
"fF9$pu",
"GetCPInfo",
"no buffer space",
"L$Pf9",
"[%hs]",
"SetLastError",
"DD$`H",
"StringFileInfo",
".text$mn$00",
"D$@H9t$@",
".didat$4",
"Redir: ",
"CopyFileW",
"VWAVH",
"invalid seek",
"Null environment",
"REM/?",
"CHcD$pH",
".?AVout_of_range@std@@",
"fD9,Su",
"COPYCMD",
"A_A^A]A\\_",
"fE9dw",
"@SUVWATAUAVAWH",
" [...]",
"\\$$E3",
"oT$@f",
"FindFirstStreamWStub",
"GetUserDefaultLCID",
"argument out of domain",
"destination address required",
"D$xH#E",
"towlower",
"D9l$ ",
"D$PfA",
"connection_reset",
"operation not permitted",
"api-ms-win-core-delayload-l1-1-1.dll",
"fD9,_u",
"ReleaseSemaphore",
"_open_osfhandle",
"@.didat",
".?AVbad_alloc@std@@",
"u*9Q<|%",
"L$Xf91t",
"@SAWH",
"f9|$",
"ATAVAWH",
"ProductName",
"oL$0f",
"L$XH3",
"E[fD9",
"D$`f9",
"srand",
"ext-ms-win-branding-winbrand-l1-1-2",
"GetConsoleMode",
"wcsrchr",
"wwwwwwwwp",
"fE9,Gu",
"RegDeleteValueW",
"D$0fD98t",
"ScrollConsoleScreenBufferW",
"$DHcD$`H",
"GetModuleFileNameA",
"InitializeProcThreadAttributeList",
"no message available",
"_callnewh",
"ResumeThread",
"fD9$_u",
"0tdA",
"10.0.19041.746",
"fD9|G0u",
"api-ms-win-core-registry-l1-1-0.dll",
"_local_unwind",
"SVWAVH",
"GetNumaNodeProcessorMaskEx",
"RegEnumKeyExW",
"GetTimeFormatW",
"network down",
".data$00",
"CompareFileTime",
"broken pipe",
"@Qm6t",
"D8L$h",
"%6Ru'",
"api-ms-win-core-heap-l1-1-0.dll",
"fD9$hu",
"pqacG%%apppppppaB",
"L$XE3",
"_lock",
"SetCurrentDirectoryW",
"tlfD9>tfI",
"@A_A^A\\",
"fD9 u",
"SETLOCAL",
"H!|$ L",
"owner dead",
"SetEnvironmentStringsW",
"T$PE3",
"t$0uKE3",
"_initterm",
"ext-ms-win-branding-winbrand-l1-2-0",
"@SVAUH",
"api-ms-win-core-apiquery-l1-1-0.dll",
"<>+-*/%()|^&=,",
" true",
".data",
"connection reset",
"UATAVH",
".CRT$XIZ",
"longjmp",
"NtQueryInformationToken",
"????????.???",
"wcstol",
"T$0E3",
"t~fA;",
"no_buffer_space",
"iswxdigit",
"ext-ms-win-shell-shell32-l1-3-0",
";l$0u",
"HH:mm:ss t",
".bss$pr00",
"T$8H;",
"ext-ms-win-shell-shell32-l1-2-2",
"operation_not_supported",
"Args: `%s' ",
"network_down",
"td@8=",
"ENDLOCAL",
"K9\\$",
"L$8E3",
"fB9<{u",
"fD9,ou",
".COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC",
"GetVolumeInformationW",
"UnhandledExceptionFilter",
">;u\\D",
"SetConsoleTitleW",
"fB9H",
"A_A^A]A\\]",
"GetCommandLineW",
"_wcslwr",
"L$@fA",
"api-ms-win-core-timezone-l1-1-0.dll",
"DeleteProcThreadAttributeList",
"8=unH",
"connection already in progress",
".idata$2",
" ",
"fD9 tuH",
"CreateMutexExW",
"ReturnHr",
".gljmp",
".xdata$x",
"??0exception@@QEAA@AEBV0@@Z",
"SetUnhandledExceptionFilter",
"f9/t+",
"WilError_03",
"GetVDMCurrentDirectoriesStub",
"\\XCOPY.EXE",
"SaferWorker",
"GetProcAddress",
"D;S$r",
"Local\\SM0:%d:%d:%hs",
"fD9+t",
"D$89|$P",
"memcpy_s",
"L$ E3",
"UVWATAUAVAWH",
"SetLocalTime",
"api-ms-win-core-handle-l1-1-0.dll",
"`.rdata",
"DelayedExpansion",
"Microsoft Corporation",
"f9,{u",
"invalid_argument",
"iswdigit",
"d$x@8=",
"_purecall",
"??0exception@@QEAA@AEBQEBD@Z",
"address family not supported",
".text",
" %x %c",
"tH",
"' is not recognized as an internal or external command,",
"LeaveCriticalSection",
".text$di",
">2tFA",
"GetConsoleWindow",
"fD9#t",
"D$(E3",
"fE9<^u",
"L$(E3",
"api-ms-win-core-synch-l1-1-0.dll",
"L$8H3",
"|$@PE",
"L9N@A",
"H!|$`I",
"TryAcquireSRWLockExclusive",
"api-ms-win-core-console-l2-2-0.dll",
"DCchmYjO8KuFmMZ51Nd2dCy-QPkK3MUbwYbQkB1CTnKBntpStl5cylS4R6mzDzE\" \"",
"argument list too long",
"wcsspn",
"D$l;E",
" A_A^A\\^]",
"not a directory",
"network_reset",
"api-ms-win-core-io-l1-1-0.dll",
"%02d%s%02d%s%02d",
"@SUVWH",
"Translation",
"operation in progress",
"tBD9t$pu;H",
"L$TE3",
"api-ms-win-core-synch-l1-2-0.dll",
"\\$ E3",
"fD94Cu",
"f94Au",
"GetEnvironmentStringsW",
"Software\\Microsoft\\Windows NT\\CurrentVersion",
"@8=D!",
"illegal byte sequence",
"fD9$Su",
"t,fD92t&I",
"state not recoverable",
"L$0E3",
"FreeEnvironmentStringsW",
".?AVexception@@",
"IDI_APPICON",
"A_A^_",
"message_size",
"no protocol option",
".rdata$brc",
"T$ H+",
"address in use",
"_XcptFilter",
"stream timeout",
"GetThreadGroupAffinity",
"Software\\Microsoft\\Command Processor",
".text$zy",
"WideCharToMultiByte",
"DoSHChangeNotify",
"|$ Hc",
"Cd$@H",
"0A_A^_",
"3t)E3",
"read only file system",
"8A^_^[",
"not supported",
"t$HM+",
"_tell",
"CreateFileW",
"dd/MM/yy",
"D$",
"destination_address_required",
"HeapReAlloc",
"fD94xu",
"f9/~sA",
"too many files open",
"DebugBreak",
"D$PE3",
";C$sD",
"LcA",
"fD90t",
"t$0fB",
"l$HE3",
"FlushConsoleInputBuffer",
"function not supported",
"RtlFindLeastSignificantBit",
"wcstoul",
" Operating System",
"WNetCancelConnection2WStub",
"ShellExecuteExW",
"device or resource busy",
"\\$ UVWAVAWH",
" A_A^A\\",
"@.reloc",
"GetThreadLocale",
"too_many_files_open",
"x UATAUAVAWH",
"Sh(PO",
">3t#A",
"u+fD9o",
"string too long",
".CRT$XIAA",
"t|D9t$xuuH",
"RtlNtStatusToDosError",
"fgets",
"RRRRP%",
"L$@E3",
"@A_A^_^]",
"pA_A^_^]",
"H9D$`",
"wwwwwwww",
"fD9DC",
"tbfA9",
"fD9TH,u",
"|$8D9{",
"_ultoa",
"!wct&",
"no message",
"M0H9M`t",
"START",
"HeapAlloc",
"memcpy",
"en-US",
".bss$dk00",
"RegCreateKeyExW",
"fD93u6H;",
"XXX8Pvh8v",
"9|$Ht",
"is a directory",
"PUSHD",
"pushd ",
"m;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\;C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\;C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps",
"rmdir ",
"f94Ku",
";:u8A",
";8uWH",
"f9tQ,u",
"fD9$Zu",
".text$lp01cmd.exe!20_pri7",
"D$0H;",
"FileTimeToLocalFileTime",
"ERASE",
"L9L$x",
"fE9,Fu",
"0A^_^][",
"D8L$iL",
"9\"tFH",
"\\uc@8=",
"D$ E3",
".idata$4",
"GetTickCount",
"_wcsicmp",
"SetEndOfFile",
"u%6RRRRRPp",
"CreateSymbolicLinkW",
"fD94Au",
".CRT$XCAA",
"f9,Su",
"DefaultColor",
"_get_osfhandle",
"GetDiskFreeSpaceExW",
"fE9$Ou",
"SearchPathW",
"tbD9t$Pu[H",
"VirtualAlloc",
".text$lp00cmd.exe!20_pri7",
"L$ UVWATAUAVAWH",
"CreateProcessW",
"\"t5fA",
"D$`fD98t",
"fD94wu",
"GetConsoleScreenBufferInfo",
".idata$6",
"!This program cannot be run in DOS mode.",
"f9,Cu",
"f9,Gu",
"operation not supported",
"connection_already_in_progress",
"__getmainargs",
"D$ L+",
"cmd.exe",
"A^A]_",
"],//cuu",
"APerformUnaryOperation: '%c'",
"D$ I+",
"f9",
".CRT$XCU",
"L$ SWH",
"SetFileTime",
".giats",
"fC9\\e",
"COLOR",
"f9,Xu",
"filename_too_long",
"PU,//",
"|$P.uEH",
"L$pH3",
"ShellExecuteWorker",
"0123456789",
"RtlLookupFunctionEntry",
"GetConsoleTitleW",
"|T0 s",
"RMDIR",
"",
"fA94Du",
"#D$D;",
"t\"D9%",
"%2d%s%02d%s%02d%s%02d",
"f94Ju",
"GetLocalTime",
"_wcsnicmp",
"cmd.pdb",
"",
"fD9,Gu",
"|$4fE99",
"operation_would_block"
],
"virustotal": {
"error": true,
"msg": "Unable to complete connection to VirusTotal. Status code: 429"
},
"executed_tools": [
"msi_extract",
"overlay",
"kixtart_extract",
"vbe_extract",
"batch_extract",
"UnAutoIt_extract",
"UPX_unpack",
"RarSFX_extract",
"Inno_extract",
"SevenZip_unpack",
"de4dot_deobfuscate",
"eziriz_deobfuscate",
"office_one"
],
"cape_type_code": 1,
"cape_type": "",
"process_path": "C:\\Windows\\System32\\cmd.exe",
"process_name": "cmd.exe",
"module_path": "C:\\Windows\\System32\\cmd.exe",
"pid": 3712
},
{
"name": "31aefc078054212033b91771ef3f0278cf9dfc7b96bb677b3cd64ff4940aaaf3",
"path": "/opt/CAPEv2/storage/analyses/113/procdump/31aefc078054212033b91771ef3f0278cf9dfc7b96bb677b3cd64ff4940aaaf3",
"guest_paths": "1;?C:\\Windows\\System32\\cmd.exe;?C:\\Windows\\System32\\cmd.exe;?",
"size": 401920,
"crc32": "A98AB5DE",
"md5": "29e963ca55037e9fb10ab85921f93f9b",
"sha1": "982afaa39668ecd7371071f7b4bd8cc7f42461cb",
"sha256": "31aefc078054212033b91771ef3f0278cf9dfc7b96bb677b3cd64ff4940aaaf3",
"sha512": "a557445f92d1978c162aa1b4833d4df2191a46882f36576657a790eb9271d122c56b668e4b5af2ffa8917e8898fba6947b65b6959b6bfe82eef662ef742f3a2b",
"rh_hash": null,
"ssdeep": "6144:Q4WA1B7BxDfQWKORSqY4zOcmpdlc3RJdmtgl7m:b1BvkWvSqY4zvmjOBJIO",
"type": "PE32+ executable (console) x86-64, for MS Windows",
"yara": [],
"cape_yara": [],
"clamav": [],
"tlsh": "T13284295D23D928A5D52381399943C236C6B27C346321A6EF22D0DD7B6F23AE9B734F05",
"sha3_384": "25162b18c1a3cf83d4237db07f1ca3573353bf6f3ccfb7b9435908d5c8df79f0808228aaceefd4c5367f5171048fbfdb",
"yara_hash": "68e243d1d9aeb1f1e94057af9823c58e140832514ed3e7b46b181bf94e4e12ce",
"options_hash": "b7818797508282994ea72592ded64b364725c9400a38d418189579c94a89385e",
"pe": {
"guest_signers": {
"aux_sha1": null,
"aux_timestamp": null,
"aux_valid": false,
"aux_error": true,
"aux_error_desc": "File not found: C:\\Users\\Rajesh\\AppData\\Local\\Temp\\113\\testt.bat",
"aux_signers": []
},
"digital_signers": [],
"imagebase": "0x7ff60e030000",
"entrypoint": "0x00018f50",
"ep_bytes": "4883ec28e82b0600004883c428e91efe",
"peid_signatures": null,
"reported_checksum": "0x0004d4af",
"actual_checksum": "0x0006ddf7",
"osversion": "10.0",
"machine_type": "IMAGE_FILE_MACHINE_AMD64",
"pdbpath": "cmd.pdb",
"imports": {
"msvcrt": {
"dll": "msvcrt.dll",
"imports": [
{
"address": "0x7ff60e063af8",
"name": "_setmode"
},
{
"address": "0x7ff60e063b00",
"name": "exit"
},
{
"address": "0x7ff60e063b08",
"name": "iswxdigit"
},
{
"address": "0x7ff60e063b10",
"name": "time"
},
{
"address": "0x7ff60e063b18",
"name": "srand"
},
{
"address": "0x7ff60e063b20",
"name": "_wtol"
},
{
"address": "0x7ff60e063b28",
"name": "fflush"
},
{
"address": "0x7ff60e063b30",
"name": "wcsstr"
},
{
"address": "0x7ff60e063b38",
"name": "iswalpha"
},
{
"address": "0x7ff60e063b40",
"name": "wcstoul"
},
{
"address": "0x7ff60e063b48",
"name": "_errno"
},
{
"address": "0x7ff60e063b50",
"name": "printf"
},
{
"address": "0x7ff60e063b58",
"name": "rand"
},
{
"address": "0x7ff60e063b60",
"name": "fprintf"
},
{
"address": "0x7ff60e063b68",
"name": "wcsncmp"
},
{
"address": "0x7ff60e063b70",
"name": "_pipe"
},
{
"address": "0x7ff60e063b78",
"name": "_commode"
},
{
"address": "0x7ff60e063b80",
"name": "_lock"
},
{
"address": "0x7ff60e063b88",
"name": "wcsrchr"
},
{
"address": "0x7ff60e063b90",
"name": "realloc"
},
{
"address": "0x7ff60e063b98",
"name": "towlower"
},
{
"address": "0x7ff60e063ba0",
"name": "_initterm"
},
{
"address": "0x7ff60e063ba8",
"name": "__setusermatherr"
},
{
"address": "0x7ff60e063bb0",
"name": "setlocale"
},
{
"address": "0x7ff60e063bb8",
"name": "_wcsupr"
},
{
"address": "0x7ff60e063bc0",
"name": "iswdigit"
},
{
"address": "0x7ff60e063bc8",
"name": "_ultoa"
},
{
"address": "0x7ff60e063bd0",
"name": "_cexit"
},
{
"address": "0x7ff60e063bd8",
"name": "_unlock"
},
{
"address": "0x7ff60e063be0",
"name": "_exit"
},
{
"address": "0x7ff60e063be8",
"name": "__dllonexit"
},
{
"address": "0x7ff60e063bf0",
"name": "_wcsicmp"
},
{
"address": "0x7ff60e063bf8",
"name": "iswspace"
},
{
"address": "0x7ff60e063c00",
"name": "wcschr"
},
{
"address": "0x7ff60e063c08",
"name": "fgets"
},
{
"address": "0x7ff60e063c10",
"name": "??_V@YAXPEAX@Z"
},
{
"address": "0x7ff60e063c18",
"name": "_pclose"
},
{
"address": "0x7ff60e063c20",
"name": "ferror"
},
{
"address": "0x7ff60e063c28",
"name": "_onexit"
},
{
"address": "0x7ff60e063c30",
"name": "__CxxFrameHandler3"
},
{
"address": "0x7ff60e063c38",
"name": "_open_osfhandle"
},
{
"address": "0x7ff60e063c40",
"name": "_close"
},
{
"address": "0x7ff60e063c48",
"name": "feof"
},
{
"address": "0x7ff60e063c50",
"name": "_dup"
},
{
"address": "0x7ff60e063c58",
"name": "_wpopen"
},
{
"address": "0x7ff60e063c60",
"name": "_wcsnicmp"
},
{
"address": "0x7ff60e063c68",
"name": "?terminate@@YAXXZ"
},
{
"address": "0x7ff60e063c70",
"name": "memset"
},
{
"address": "0x7ff60e063c78",
"name": "wcstol"
},
{
"address": "0x7ff60e063c80",
"name": "_get_osfhandle"
},
{
"address": "0x7ff60e063c88",
"name": "_dup2"
},
{
"address": "0x7ff60e063c90",
"name": "_getch"
},
{
"address": "0x7ff60e063c98",
"name": "towupper"
},
{
"address": "0x7ff60e063ca0",
"name": "memcmp"
},
{
"address": "0x7ff60e063ca8",
"name": "_setjmp"
},
{
"address": "0x7ff60e063cb0",
"name": "wcsspn"
},
{
"address": "0x7ff60e063cb8",
"name": "_fmode"
},
{
"address": "0x7ff60e063cc0",
"name": "qsort"
},
{
"address": "0x7ff60e063cc8",
"name": "__set_app_type"
},
{
"address": "0x7ff60e063cd0",
"name": "_tell"
},
{
"address": "0x7ff60e063cd8",
"name": "_wcslwr"
},
{
"address": "0x7ff60e063ce0",
"name": "longjmp"
},
{
"address": "0x7ff60e063ce8",
"name": "_local_unwind"
},
{
"address": "0x7ff60e063cf0",
"name": "_purecall"
},
{
"address": "0x7ff60e063cf8",
"name": "__C_specific_handler"
},
{
"address": "0x7ff60e063d00",
"name": "??3@YAXPEAX@Z"
},
{
"address": "0x7ff60e063d08",
"name": "memcpy_s"
},
{
"address": "0x7ff60e063d10",
"name": "free"
},
{
"address": "0x7ff60e063d18",
"name": "calloc"
},
{
"address": "0x7ff60e063d20",
"name": "__getmainargs"
},
{
"address": "0x7ff60e063d28",
"name": "_XcptFilter"
},
{
"address": "0x7ff60e063d30",
"name": "_amsg_exit"
},
{
"address": "0x7ff60e063d38",
"name": "??1type_info@@UEAA@XZ"
},
{
"address": "0x7ff60e063d40",
"name": "memmove"
},
{
"address": "0x7ff60e063d48",
"name": "memcpy"
},
{
"address": "0x7ff60e063d50",
"name": "_CxxThrowException"
},
{
"address": "0x7ff60e063d58",
"name": "_vsnwprintf"
},
{
"address": "0x7ff60e063d60",
"name": "swscanf"
},
{
"address": "0x7ff60e063d68",
"name": "__iob_func"
},
{
"address": "0x7ff60e063d70",
"name": "malloc"
},
{
"address": "0x7ff60e063d78",
"name": "_callnewh"
},
{
"address": "0x7ff60e063d80",
"name": "??0exception@@QEAA@AEBQEBD@Z"
},
{
"address": "0x7ff60e063d88",
"name": "??0exception@@QEAA@AEBQEBDH@Z"
},
{
"address": "0x7ff60e063d90",
"name": "??0exception@@QEAA@AEBV0@@Z"
},
{
"address": "0x7ff60e063d98",
"name": "??1exception@@UEAA@XZ"
},
{
"address": "0x7ff60e063da0",
"name": "?what@exception@@UEBAPEBDXZ"
},
{
"address": "0x7ff60e063da8",
"name": "wcscmp"
}
]
},
"ntdll": {
"dll": "ntdll.dll",
"imports": [
{
"address": "0x7ff60e063db8",
"name": "RtlLookupFunctionEntry"
},
{
"address": "0x7ff60e063dc0",
"name": "RtlCaptureContext"
},
{
"address": "0x7ff60e063dc8",
"name": "NtOpenProcessToken"
},
{
"address": "0x7ff60e063dd0",
"name": "NtQueryInformationToken"
},
{
"address": "0x7ff60e063dd8",
"name": "NtClose"
},
{
"address": "0x7ff60e063de0",
"name": "NtOpenThreadToken"
},
{
"address": "0x7ff60e063de8",
"name": "RtlFreeHeap"
},
{
"address": "0x7ff60e063df0",
"name": "NtFsControlFile"
},
{
"address": "0x7ff60e063df8",
"name": "RtlDosPathNameToNtPathName_U"
},
{
"address": "0x7ff60e063e00",
"name": "RtlVirtualUnwind"
},
{
"address": "0x7ff60e063e08",
"name": "RtlFreeUnicodeString"
},
{
"address": "0x7ff60e063e10",
"name": "RtlReleaseRelativeName"
},
{
"address": "0x7ff60e063e18",
"name": "NtOpenFile"
},
{
"address": "0x7ff60e063e20",
"name": "RtlDosPathNameToRelativeNtPathName_U_WithStatus"
},
{
"address": "0x7ff60e063e28",
"name": "NtSetInformationFile"
},
{
"address": "0x7ff60e063e30",
"name": "NtQueryVolumeInformationFile"
},
{
"address": "0x7ff60e063e38",
"name": "NtSetInformationProcess"
},
{
"address": "0x7ff60e063e40",
"name": "NtQueryInformationProcess"
},
{
"address": "0x7ff60e063e48",
"name": "RtlNtStatusToDosError"
},
{
"address": "0x7ff60e063e50",
"name": "NtCancelSynchronousIoFile"
},
{
"address": "0x7ff60e063e58",
"name": "RtlCreateUnicodeStringFromAsciiz"
},
{
"address": "0x7ff60e063e60",
"name": "RtlFindLeastSignificantBit"
}
]
},
"api-ms-win-core-kernel32-legacy-l1-1-0": {
"dll": "api-ms-win-core-kernel32-legacy-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063788",
"name": "CopyFileW"
},
{
"address": "0x7ff60e063790",
"name": "GetConsoleWindow"
}
]
},
"api-ms-win-core-libraryloader-l1-2-0": {
"dll": "api-ms-win-core-libraryloader-l1-2-0.dll",
"imports": [
{
"address": "0x7ff60e0637a0",
"name": "GetModuleHandleW"
},
{
"address": "0x7ff60e0637a8",
"name": "GetModuleFileNameA"
},
{
"address": "0x7ff60e0637b0",
"name": "LoadLibraryExW"
},
{
"address": "0x7ff60e0637b8",
"name": "GetProcAddress"
},
{
"address": "0x7ff60e0637c0",
"name": "GetModuleFileNameW"
},
{
"address": "0x7ff60e0637c8",
"name": "GetModuleHandleExW"
}
]
},
"api-ms-win-core-synch-l1-1-0": {
"dll": "api-ms-win-core-synch-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e0639c8",
"name": "CreateSemaphoreExW"
},
{
"address": "0x7ff60e0639d0",
"name": "InitializeCriticalSection"
},
{
"address": "0x7ff60e0639d8",
"name": "WaitForSingleObject"
},
{
"address": "0x7ff60e0639e0",
"name": "ReleaseSemaphore"
},
{
"address": "0x7ff60e0639e8",
"name": "TryAcquireSRWLockExclusive"
},
{
"address": "0x7ff60e0639f0",
"name": "WaitForSingleObjectEx"
},
{
"address": "0x7ff60e0639f8",
"name": "ReleaseMutex"
},
{
"address": "0x7ff60e063a00",
"name": "ReleaseSRWLockShared"
},
{
"address": "0x7ff60e063a08",
"name": "AcquireSRWLockShared"
},
{
"address": "0x7ff60e063a10",
"name": "LeaveCriticalSection"
},
{
"address": "0x7ff60e063a18",
"name": "CreateMutexExW"
},
{
"address": "0x7ff60e063a20",
"name": "EnterCriticalSection"
},
{
"address": "0x7ff60e063a28",
"name": "ReleaseSRWLockExclusive"
},
{
"address": "0x7ff60e063a30",
"name": "OpenSemaphoreW"
}
]
},
"api-ms-win-core-heap-l1-1-0": {
"dll": "api-ms-win-core-heap-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063720",
"name": "HeapFree"
},
{
"address": "0x7ff60e063728",
"name": "HeapAlloc"
},
{
"address": "0x7ff60e063730",
"name": "GetProcessHeap"
},
{
"address": "0x7ff60e063738",
"name": "HeapSetInformation"
},
{
"address": "0x7ff60e063740",
"name": "HeapReAlloc"
},
{
"address": "0x7ff60e063748",
"name": "HeapSize"
}
]
},
"api-ms-win-core-errorhandling-l1-1-0": {
"dll": "api-ms-win-core-errorhandling-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e0635c8",
"name": "SetLastError"
},
{
"address": "0x7ff60e0635d0",
"name": "UnhandledExceptionFilter"
},
{
"address": "0x7ff60e0635d8",
"name": "GetLastError"
},
{
"address": "0x7ff60e0635e0",
"name": "SetErrorMode"
},
{
"address": "0x7ff60e0635e8",
"name": "SetUnhandledExceptionFilter"
}
]
},
"api-ms-win-core-processthreads-l1-1-0": {
"dll": "api-ms-win-core-processthreads-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e0638b0",
"name": "InitializeProcThreadAttributeList"
},
{
"address": "0x7ff60e0638b8",
"name": "GetCurrentThreadId"
},
{
"address": "0x7ff60e0638c0",
"name": "UpdateProcThreadAttribute"
},
{
"address": "0x7ff60e0638c8",
"name": "DeleteProcThreadAttributeList"
},
{
"address": "0x7ff60e0638d0",
"name": "GetStartupInfoW"
},
{
"address": "0x7ff60e0638d8",
"name": "CreateProcessAsUserW"
},
{
"address": "0x7ff60e0638e0",
"name": "OpenThread"
},
{
"address": "0x7ff60e0638e8",
"name": "CreateProcessW"
},
{
"address": "0x7ff60e0638f0",
"name": "ResumeThread"
},
{
"address": "0x7ff60e0638f8",
"name": "TerminateProcess"
},
{
"address": "0x7ff60e063900",
"name": "GetExitCodeProcess"
},
{
"address": "0x7ff60e063908",
"name": "GetCurrentProcess"
},
{
"address": "0x7ff60e063910",
"name": "GetCurrentProcessId"
}
]
},
"api-ms-win-core-localization-l1-2-0": {
"dll": "api-ms-win-core-localization-l1-2-0.dll",
"imports": [
{
"address": "0x7ff60e0637d8",
"name": "GetThreadLocale"
},
{
"address": "0x7ff60e0637e0",
"name": "SetThreadLocale"
},
{
"address": "0x7ff60e0637e8",
"name": "FormatMessageW"
},
{
"address": "0x7ff60e0637f0",
"name": "GetLocaleInfoW"
},
{
"address": "0x7ff60e0637f8",
"name": "GetCPInfo"
},
{
"address": "0x7ff60e063800",
"name": "GetACP"
},
{
"address": "0x7ff60e063808",
"name": "GetUserDefaultLCID"
}
]
},
"api-ms-win-core-debug-l1-1-0": {
"dll": "api-ms-win-core-debug-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063588",
"name": "OutputDebugStringW"
},
{
"address": "0x7ff60e063590",
"name": "DebugBreak"
},
{
"address": "0x7ff60e063598",
"name": "IsDebuggerPresent"
}
]
},
"api-ms-win-core-handle-l1-1-0": {
"dll": "api-ms-win-core-handle-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063708",
"name": "DuplicateHandle"
},
{
"address": "0x7ff60e063710",
"name": "CloseHandle"
}
]
},
"api-ms-win-core-memory-l1-1-0": {
"dll": "api-ms-win-core-memory-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063818",
"name": "VirtualAlloc"
},
{
"address": "0x7ff60e063820",
"name": "VirtualQuery"
},
{
"address": "0x7ff60e063828",
"name": "VirtualFree"
},
{
"address": "0x7ff60e063830",
"name": "ReadProcessMemory"
}
]
},
"api-ms-win-core-console-l1-1-0": {
"dll": "api-ms-win-core-console-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e0634e0",
"name": "ReadConsoleW"
},
{
"address": "0x7ff60e0634e8",
"name": "SetConsoleCtrlHandler"
},
{
"address": "0x7ff60e0634f0",
"name": "SetConsoleMode"
},
{
"address": "0x7ff60e0634f8",
"name": "WriteConsoleW"
},
{
"address": "0x7ff60e063500",
"name": "GetConsoleMode"
},
{
"address": "0x7ff60e063508",
"name": "GetConsoleOutputCP"
}
]
},
"api-ms-win-core-file-l1-1-0": {
"dll": "api-ms-win-core-file-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e0635f8",
"name": "CreateFileW"
},
{
"address": "0x7ff60e063600",
"name": "FlushFileBuffers"
},
{
"address": "0x7ff60e063608",
"name": "GetFileAttributesExW"
},
{
"address": "0x7ff60e063610",
"name": "GetDriveTypeW"
},
{
"address": "0x7ff60e063618",
"name": "FindClose"
},
{
"address": "0x7ff60e063620",
"name": "FindNextFileW"
},
{
"address": "0x7ff60e063628",
"name": "CreateDirectoryW"
},
{
"address": "0x7ff60e063630",
"name": "GetVolumeInformationW"
},
{
"address": "0x7ff60e063638",
"name": "SetFileAttributesW"
},
{
"address": "0x7ff60e063640",
"name": "SetEndOfFile"
},
{
"address": "0x7ff60e063648",
"name": "SetFilePointerEx"
},
{
"address": "0x7ff60e063650",
"name": "WriteFile"
},
{
"address": "0x7ff60e063658",
"name": "DeleteFileW"
},
{
"address": "0x7ff60e063660",
"name": "SetFileTime"
},
{
"address": "0x7ff60e063668",
"name": "GetVolumePathNameW"
},
{
"address": "0x7ff60e063670",
"name": "SetFilePointer"
},
{
"address": "0x7ff60e063678",
"name": "ReadFile"
},
{
"address": "0x7ff60e063680",
"name": "GetFileAttributesW"
},
{
"address": "0x7ff60e063688",
"name": "GetFileType"
},
{
"address": "0x7ff60e063690",
"name": "RemoveDirectoryW"
},
{
"address": "0x7ff60e063698",
"name": "FindFirstFileExW"
},
{
"address": "0x7ff60e0636a0",
"name": "CompareFileTime"
},
{
"address": "0x7ff60e0636a8",
"name": "GetFullPathNameW"
},
{
"address": "0x7ff60e0636b0",
"name": "GetDiskFreeSpaceExW"
},
{
"address": "0x7ff60e0636b8",
"name": "FileTimeToLocalFileTime"
},
{
"address": "0x7ff60e0636c0",
"name": "GetFileSize"
},
{
"address": "0x7ff60e0636c8",
"name": "FindFirstFileW"
}
]
},
"api-ms-win-core-string-l1-1-0": {
"dll": "api-ms-win-core-string-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063998",
"name": "WideCharToMultiByte"
},
{
"address": "0x7ff60e0639a0",
"name": "MultiByteToWideChar"
}
]
},
"api-ms-win-core-processenvironment-l1-1-0": {
"dll": "api-ms-win-core-processenvironment-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063840",
"name": "GetCommandLineW"
},
{
"address": "0x7ff60e063848",
"name": "GetEnvironmentStringsW"
},
{
"address": "0x7ff60e063850",
"name": "ExpandEnvironmentStringsW"
},
{
"address": "0x7ff60e063858",
"name": "FreeEnvironmentStringsW"
},
{
"address": "0x7ff60e063860",
"name": "SetEnvironmentVariableW"
},
{
"address": "0x7ff60e063868",
"name": "SearchPathW"
},
{
"address": "0x7ff60e063870",
"name": "SetCurrentDirectoryW"
},
{
"address": "0x7ff60e063878",
"name": "GetCurrentDirectoryW"
},
{
"address": "0x7ff60e063880",
"name": "GetEnvironmentVariableW"
},
{
"address": "0x7ff60e063888",
"name": "SetEnvironmentStringsW"
},
{
"address": "0x7ff60e063890",
"name": "GetStdHandle"
}
]
},
"api-ms-win-core-console-l2-1-0": {
"dll": "api-ms-win-core-console-l2-1-0.dll",
"imports": [
{
"address": "0x7ff60e063518",
"name": "SetConsoleCursorPosition"
},
{
"address": "0x7ff60e063520",
"name": "GetConsoleScreenBufferInfo"
},
{
"address": "0x7ff60e063528",
"name": "ScrollConsoleScreenBufferW"
},
{
"address": "0x7ff60e063530",
"name": "FillConsoleOutputAttribute"
},
{
"address": "0x7ff60e063538",
"name": "FillConsoleOutputCharacterW"
},
{
"address": "0x7ff60e063540",
"name": "FlushConsoleInputBuffer"
},
{
"address": "0x7ff60e063548",
"name": "SetConsoleTextAttribute"
}
]
},
"api-ms-win-security-base-l1-1-0": {
"dll": "api-ms-win-security-base-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063ad8",
"name": "GetFileSecurityW"
},
{
"address": "0x7ff60e063ae0",
"name": "RevertToSelf"
},
{
"address": "0x7ff60e063ae8",
"name": "GetSecurityDescriptorOwner"
}
]
},
"api-ms-win-core-sysinfo-l1-1-0": {
"dll": "api-ms-win-core-sysinfo-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063a50",
"name": "GetSystemTime"
},
{
"address": "0x7ff60e063a58",
"name": "SetLocalTime"
},
{
"address": "0x7ff60e063a60",
"name": "GetSystemTimeAsFileTime"
},
{
"address": "0x7ff60e063a68",
"name": "GetTickCount"
},
{
"address": "0x7ff60e063a70",
"name": "GetWindowsDirectoryW"
},
{
"address": "0x7ff60e063a78",
"name": "GetLocalTime"
},
{
"address": "0x7ff60e063a80",
"name": "GetVersion"
}
]
},
"api-ms-win-core-timezone-l1-1-0": {
"dll": "api-ms-win-core-timezone-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063aa8",
"name": "SystemTimeToFileTime"
},
{
"address": "0x7ff60e063ab0",
"name": "FileTimeToSystemTime"
}
]
},
"api-ms-win-core-datetime-l1-1-0": {
"dll": "api-ms-win-core-datetime-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063570",
"name": "GetDateFormatW"
},
{
"address": "0x7ff60e063578",
"name": "GetTimeFormatW"
}
]
},
"api-ms-win-core-systemtopology-l1-1-0": {
"dll": "api-ms-win-core-systemtopology-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063a90",
"name": "GetNumaNodeProcessorMaskEx"
},
{
"address": "0x7ff60e063a98",
"name": "GetNumaHighestNodeNumber"
}
]
},
"api-ms-win-core-console-l2-2-0": {
"dll": "api-ms-win-core-console-l2-2-0.dll",
"imports": [
{
"address": "0x7ff60e063558",
"name": "SetConsoleTitleW"
},
{
"address": "0x7ff60e063560",
"name": "GetConsoleTitleW"
}
]
},
"api-ms-win-core-processenvironment-l1-2-0": {
"dll": "api-ms-win-core-processenvironment-l1-2-0.dll",
"imports": [
{
"address": "0x7ff60e0638a0",
"name": "NeedCurrentDirectoryForExePathW"
}
]
},
"api-ms-win-core-registry-l1-1-0": {
"dll": "api-ms-win-core-registry-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063950",
"name": "RegCloseKey"
},
{
"address": "0x7ff60e063958",
"name": "RegSetValueExW"
},
{
"address": "0x7ff60e063960",
"name": "RegOpenKeyExW"
},
{
"address": "0x7ff60e063968",
"name": "RegCreateKeyExW"
},
{
"address": "0x7ff60e063970",
"name": "RegEnumKeyExW"
},
{
"address": "0x7ff60e063978",
"name": "RegDeleteKeyExW"
},
{
"address": "0x7ff60e063980",
"name": "RegDeleteValueW"
},
{
"address": "0x7ff60e063988",
"name": "RegQueryValueExW"
}
]
},
"api-ms-win-core-file-l2-1-0": {
"dll": "api-ms-win-core-file-l2-1-0.dll",
"imports": [
{
"address": "0x7ff60e0636d8",
"name": "MoveFileExW"
},
{
"address": "0x7ff60e0636e0",
"name": "CreateSymbolicLinkW"
},
{
"address": "0x7ff60e0636e8",
"name": "CreateHardLinkW"
},
{
"address": "0x7ff60e0636f0",
"name": "MoveFileWithProgressW"
},
{
"address": "0x7ff60e0636f8",
"name": "GetFileInformationByHandleEx"
}
]
},
"api-ms-win-core-heap-l2-1-0": {
"dll": "api-ms-win-core-heap-l2-1-0.dll",
"imports": [
{
"address": "0x7ff60e063758",
"name": "GlobalAlloc"
},
{
"address": "0x7ff60e063760",
"name": "GlobalFree"
},
{
"address": "0x7ff60e063768",
"name": "LocalFree"
}
]
},
"api-ms-win-core-io-l1-1-0": {
"dll": "api-ms-win-core-io-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063778",
"name": "DeviceIoControl"
}
]
},
"api-ms-win-core-winrt-l1-1-0": {
"dll": "api-ms-win-core-winrt-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063ac0",
"name": "RoInitialize"
},
{
"address": "0x7ff60e063ac8",
"name": "RoUninitialize"
}
]
},
"api-ms-win-core-processtopology-l1-1-0": {
"dll": "api-ms-win-core-processtopology-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063920",
"name": "GetThreadGroupAffinity"
}
]
},
"api-ms-win-core-synch-l1-2-0": {
"dll": "api-ms-win-core-synch-l1-2-0.dll",
"imports": [
{
"address": "0x7ff60e063a40",
"name": "Sleep"
}
]
},
"api-ms-win-core-profile-l1-1-0": {
"dll": "api-ms-win-core-profile-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063940",
"name": "QueryPerformanceCounter"
}
]
},
"api-ms-win-core-string-obsolete-l1-1-0": {
"dll": "api-ms-win-core-string-obsolete-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e0639b0",
"name": "lstrcmpW"
},
{
"address": "0x7ff60e0639b8",
"name": "lstrcmpiW"
}
]
},
"api-ms-win-core-processtopology-obsolete-l1-1-0": {
"dll": "api-ms-win-core-processtopology-obsolete-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e063930",
"name": "SetProcessAffinityMask"
}
]
},
"api-ms-win-core-apiquery-l1-1-0": {
"dll": "api-ms-win-core-apiquery-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e0634d0",
"name": "ApiSetQueryApiSetPresence"
}
]
},
"api-ms-win-core-delayload-l1-1-1": {
"dll": "api-ms-win-core-delayload-l1-1-1.dll",
"imports": [
{
"address": "0x7ff60e0635b8",
"name": "ResolveDelayLoadedAPI"
}
]
},
"api-ms-win-core-delayload-l1-1-0": {
"dll": "api-ms-win-core-delayload-l1-1-0.dll",
"imports": [
{
"address": "0x7ff60e0635a8",
"name": "DelayLoadFailureHook"
}
]
}
},
"exported_dll_name": null,
"exports": [],
"dirents": [
{
"name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
"virtual_address": "0x0003a028",
"size": "0x000002f8"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
"virtual_address": "0x0005d000",
"size": "0x000084f8"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
"virtual_address": "0x00059000",
"size": "0x00002334"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
"virtual_address": "0x00066000",
"size": "0x0000030c"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
"virtual_address": "0x00035a60",
"size": "0x00000054"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_TLS",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
"virtual_address": "0x00032c10",
"size": "0x00000118"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_IAT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
"virtual_address": "0x00039d20",
"size": "0x00000080"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
"virtual_address": "0x00000000",
"size": "0x00000000"
}
],
"sections": [
{
"name": ".text",
"raw_address": "0x00000400",
"virtual_address": "0x00001000",
"virtual_size": "0x00031000",
"size_of_data": "0x00031000",
"characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x60000020",
"entropy": "6.31"
},
{
"name": ".rdata",
"raw_address": "0x00031400",
"virtual_address": "0x00032000",
"virtual_size": "0x0000b000",
"size_of_data": "0x0000a600",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
"characteristics_raw": "0xc0000040",
"entropy": "5.15"
},
{
"name": ".data",
"raw_address": "0x0003ba00",
"virtual_address": "0x0003d000",
"virtual_size": "0x0001c000",
"size_of_data": "0x0001b800",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
"characteristics_raw": "0xc0000040",
"entropy": "0.13"
},
{
"name": ".pdata",
"raw_address": "0x00057200",
"virtual_address": "0x00059000",
"virtual_size": "0x00003000",
"size_of_data": "0x00002400",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x40000040",
"entropy": "5.49"
},
{
"name": ".didat",
"raw_address": "0x00059600",
"virtual_address": "0x0005c000",
"virtual_size": "0x00001000",
"size_of_data": "0x00000200",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
"characteristics_raw": "0xc0000040",
"entropy": "1.28"
},
{
"name": ".rsrc",
"raw_address": "0x00059800",
"virtual_address": "0x0005d000",
"virtual_size": "0x00009000",
"size_of_data": "0x00008600",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x40000040",
"entropy": "4.36"
},
{
"name": ".reloc",
"raw_address": "0x00061e00",
"virtual_address": "0x00066000",
"virtual_size": "0x00001000",
"size_of_data": "0x00000400",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x42000040",
"entropy": "4.68"
}
],
"overlay": null,
"resources": [
{
"name": "MUI",
"offset": "0x00065420",
"size": "0x000000d8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.68"
},
{
"name": "RT_ICON",
"offset": "0x0005d778",
"size": "0x00000668",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.65"
},
{
"name": "RT_ICON",
"offset": "0x0005dde0",
"size": "0x000002e8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.44"
},
{
"name": "RT_ICON",
"offset": "0x0005e0c8",
"size": "0x00000128",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.17"
},
{
"name": "RT_ICON",
"offset": "0x0005e1f0",
"size": "0x00000ea8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.06"
},
{
"name": "RT_ICON",
"offset": "0x0005f098",
"size": "0x000008a8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.07"
},
{
"name": "RT_ICON",
"offset": "0x0005f940",
"size": "0x00000568",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "0.71"
},
{
"name": "RT_ICON",
"offset": "0x0005fea8",
"size": "0x0000169e",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "7.85"
},
{
"name": "RT_ICON",
"offset": "0x00061548",
"size": "0x000025a8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.88"
},
{
"name": "RT_ICON",
"offset": "0x00063af0",
"size": "0x000010a8",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.97"
},
{
"name": "RT_ICON",
"offset": "0x00064b98",
"size": "0x00000468",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.17"
},
{
"name": "RT_GROUP_ICON",
"offset": "0x00065000",
"size": "0x00000092",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "2.90"
},
{
"name": "RT_VERSION",
"offset": "0x00065098",
"size": "0x00000388",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "3.50"
},
{
"name": "RT_MANIFEST",
"offset": "0x0005d350",
"size": "0x00000428",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "5.00"
}
],
"versioninfo": [
{
"name": "CompanyName",
"value": "Microsoft Corporation"
},
{
"name": "FileDescription",
"value": "Windows Command Processor"
},
{
"name": "FileVersion",
"value": "10.0.19041.746 (WinBuild.160101.0800)"
},
{
"name": "InternalName",
"value": "cmd"
},
{
"name": "LegalCopyright",
"value": "© Microsoft Corporation. All rights reserved."
},
{
"name": "OriginalFilename",
"value": "Cmd.Exe"
},
{
"name": "ProductName",
"value": "Microsoft® Windows® Operating System"
},
{
"name": "ProductVersion",
"value": "10.0.19041.746"
},
{
"name": "Translation",
"value": "0x0409 0x04b0"
}
],
"imphash": "272245e2988e1e430500b852c4fb5e18",
"timestamp": "2090-01-16 09:26:43",
"icon": "iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAACp0lEQVR4nO2ZPW/TQByHH8cpUyWQ2NjKd+AjNK1U1ZGQkBjZYWNhQAIEUmFgKuwsSEhISElV0TeoVFUsnSLUgS6J2nRJA0mTpknss8OQ2thN3Z7Tl5ORH+lyf/sud7+fz3e+OJCQkBBrNIDnL2ceaZo2q1qMDJ1O+/HMqxfvAAvopQE0TZu9e+++MlHvP+QAePgge+bxl8+f3gIfgRpgpq9a7Em4QmWPgetAC78BPZWiUS2f2Vkv+BG5/Hidftav2/PlbvJz89ZtN0wDKTfon0nrzLx+868TXwMnxbLJcZyB2M2FENi2jRACy7K83DRN2u02nU4Hy7I8TT9/lQYuRir0MsUEz8Dx4YoLp45APp8nn8+Hli8sLFy4oKiEGsjlchiGgWEYzM3Neefn5+cD9RYXFy9PnQRSc2B6etqLp6amvHhychKApaWlC5Ylz7kn8cTEBADLy8vnFjMMUgZOu4UAMpkMACsrKxckSx7vOXB8Ecpms94EDruF/IyPjwdGYXV1NbTT0dFRAG/Nd9F1HV3XA88LaQPVWmOg0DCMMxsAME2TWq3G2NgYzWaTRqOBpmlS3/Vj2za2bYeWV37vD5wbei/UbDapVCrs7e1Rr9eHbebcRDIghGBnZ4dSqcTh4eFlaYqElIGDgwOKxSK7u7sIIS5bUyRONSCEYGtri2KxKDWhVOBbhYLLULlcZnNzk263e+WiojAwAo7jUCgU2N7eVqEnMgEDpmmysbFBtVpVpScyngHH6bG2tkar1VKpJzLeVkLYduzEw//0iyyuJAZUkxhQTWJANYkB1cTeQGA3+u1HQZWOoUkD7NfrmfXvX9W9XovAs6dP7gBdQMDRf2TACHDjKI2oEBaBLvAHaAC2a0CjPxrXAF2RMFkEfRPhL5ASEhLiw1+s5V9Z8HnusgAAAABJRU5ErkJggg==",
"icon_hash": "00d152c1523e56c619d25f6c96c21a41",
"icon_fuzzy": "e55641fba39eaff4ee89e5fc0af8f337",
"icon_dhash": "a2ae7a370101a3c0",
"imported_dll_count": 37
},
"data": null,
"strings": [
"fD9,0",
"t$0L+",
"kernelbase.dll",
".data$zz",
"Windows Command Processor",
"NtOpenFile",
"CMD Internal Error %s",
" />",
"api-ms-win-core-processenvironment-l1-1-0.dll",
"fD9,Vu",
"H+|$@H",
"WriteFile",
"qsort",
"ReleaseMutex",
"DISABLEEXTENSIONS",
"|$ E3",
"WaitForSingleObject",
"value too large",
"!KD4)#",
"no such device",
"H+L$xH",
"t$ WAVAWH",
"fD9t$\"",
"ntdll.dll",
"lstrcmpiW",
"ProductVersion",
"n(D9-c",
"A^A\\]",
"` AUAVAWH",
"fD9d$P",
".data$pr00",
"PathCompletionChar",
"f9H\\u",
"\\$dD9L$T",
"bad allocation",
"Se%ae`",
"DPATH",
"fA9",
"HcT$8H",
"D$0E3",
"8*uUH",
"D$ I;",
"fD9",
"@A_A^A]A\\_^[",
"s AWH",
"NTDLL.DLL",
"u4D95N",
"no such file or directory",
".bss$zz",
"D$(@P",
"DEFINED",
"D9f$t",
"D$@E3",
"CopyFileExW",
"OpenThread",
"f9,Hu",
"WaitForSingleObjectEx",
"_cexit",
"%02d%s%02d%s",
"HcD$`H",
"",
"operation_in_progress",
"not a stream",
"fD9/u",
"u0D9d$ ",
"Fxf9(u-3",
"UWATAVAWH",
"D8L$ ",
"OpenSemaphoreW",
"fE9DE",
"A_A^A\\_]",
"UpdateProcThreadAttribute",
"SetConsoleTextAttribute",
"9T$0u0",
" A^A]A\\",
"CreateSemaphoreExW",
"not_connected",
"fD9lC",
"msvcrt.dll",
"fA94Ru",
"f90t7",
"fD9tG",
" ",
"PROMPT",
"DeleteFileW",
"t$ WH",
"fE9LE",
"DeviceIoControl",
"timed_out",
"FormatMessageW",
"generic",
" ",
"Application",
"wcscmp",
"KxfD91",
"invalid string position",
"ext-ms-win-shell-shell32-l1-2-0",
"_wcsupr",
"10.0.19041.746 (WinBuild.160101.0800)",
"L$PH3",
"SHIFT",
" Windows",
"t$ UWATAVAWH",
" A^A\\_",
".data$brc",
"_setjmp",
"E;.JS;.JSE;.WSF;.WSH;.MSC",
"D8=is",
"|$pA;",
"D$0L;",
"Microsoft",
" A_A^_",
"FileTimeToSystemTime",
" A^_^",
"_errno",
"LoadLibraryExW",
"HcD$ ",
"%WINDOWS_COPYRIGHT%",
"DISABLEDELAYEDEXPANSION",
"CompanyName",
"fB9",
"too many symbolic link levels",
"SUWATAUAVAWH",
"WriteConsoleW",
"file too large",
".data$dk00$brc",
"`A_A^A]A\\_^]",
"_pipe",
"TITLE",
"NtOpenThreadToken",
"D$Pf9",
"D9-4m",
">1tUA",
"FOR /?",
"fD94Bu",
"fE9$@u",
"GetCurrentDirectoryW",
"fD9|]",
"D9d$x",
"FindClose",
"SetConsoleCtrlHandler",
"BELOWNORMAL",
"RegSetValueExW",
"protocol not supported",
"__C_specific_handler",
"FtFfD9",
" /K %s",
"CloseHandle",
"fD9",
"fE9",
" [..]",
"%s %s%s ",
"VAVAWH",
"EnterCriticalSection",
"tokens=",
"f;D$`",
"%d.%d.%05d.%d",
"ENABLEDELAYEDEXPANSION",
"SetErrorMode",
"|$TfD",
"GetVolumePathNameW",
"invalid argument",
"cCBR_p",
"CSVFS",
"x UATAVH",
"\\$PE3",
"L$xHc",
"L$095",
"bad address",
"_pclose",
"address_family_not_supported",
"|$pI+",
"connection_aborted",
"NeedCurrentDirectoryForExePathW",
"SUVWATAUAVAWH",
".CRT$XCZ",
"ReadProcessMemory",
"lstrcmpW",
"resource deadlock would occur",
"NtFsControlFile",
"Msg:[%ws] ",
"HcD$PM",
"%hs(%d) tid(%x) %08X %ws",
"WAUAVH",
"api-ms-win-core-processtopology-l1-1-0.dll",
"System",
"((((&&(&&&(&(&&&&&&(((#&&###",
"FlushFileBuffers",
"RtlDisownModuleHeapAllocation",
"??3@YAXPEAX@Z",
".rsrc",
"ferror",
"\\$ UVWATAUAVAWH",
"()|&=,;\"",
"7fD90",
"QueryFullProcessImageNameWStub",
"GetDateFormatW",
"RENAME",
"fD9$Hu",
"=,;+/[] ",
"GetLocaleInfoW",
".didat$5",
"MultiByteToWideChar",
"?what@exception@@UEBAPEBDXZ",
";|$Xt",
"InitializeCriticalSection",
"f9<^u",
".gfids",
"AfD9!u",
" true",
"protocol error",
"ReadConsoleW",
"GetModuleFileNameW",
"fdpnxsatz",
"|$[fD9?",
"onecore\\internal\\sdk\\inc\\wil\\opensource\\wil\\resource.h",
"fD9,8",
"NtQueryVolumeInformationFile",
"4qaCCRCCCB",
"tRHcL$xI",
"A^_^][",
"fD9$Cu",
" &()[]{}^=;!%'+,`~",
"@USVWATAVAWH",
"fF9$pu",
"GetCPInfo",
"no buffer space",
"L$Pf9",
"[%hs]",
"SetLastError",
"DD$`H",
"StringFileInfo",
".text$mn$00",
"D$@H9t$@",
".didat$4",
"Redir: ",
"CopyFileW",
"VWAVH",
"invalid seek",
"Null environment",
"REM/?",
"CHcD$pH",
".?AVout_of_range@std@@",
"fD9,Su",
"COPYCMD",
"A_A^A]A\\_",
"fE9dw",
"@SUVWATAUAVAWH",
" [...]",
"\\$$E3",
"oT$@f",
"FindFirstStreamWStub",
"GetUserDefaultLCID",
"argument out of domain",
"destination address required",
"D$xH#E",
"towlower",
"D9l$ ",
"D$PfA",
"connection_reset",
"operation not permitted",
"api-ms-win-core-delayload-l1-1-1.dll",
"fD9,_u",
"ReleaseSemaphore",
"_open_osfhandle",
"@.didat",
".?AVbad_alloc@std@@",
"u*9Q<|%",
"L$Xf91t",
"@SAWH",
"f9|$",
"ATAVAWH",
"ProductName",
"oL$0f",
"L$XH3",
"wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\"",
"E[fD9",
"D$`f9",
"srand",
"ext-ms-win-branding-winbrand-l1-1-2",
"GetConsoleMode",
"wcsrchr",
"wwwwwwwwp",
"fE9,Gu",
"RegDeleteValueW",
"D$0fD98t",
"ScrollConsoleScreenBufferW",
"$DHcD$`H",
"GetModuleFileNameA",
"InitializeProcThreadAttributeList",
"no message available",
"_callnewh",
"ResumeThread",
"fD9$_u",
"0tdA",
"10.0.19041.746",
"fD9|G0u",
"api-ms-win-core-registry-l1-1-0.dll",
"_local_unwind",
"SVWAVH",
"GetNumaNodeProcessorMaskEx",
"RegEnumKeyExW",
"GetTimeFormatW",
"network down",
".data$00",
"CompareFileTime",
"broken pipe",
"@Qm6t",
"D8L$h",
"%6Ru'",
"api-ms-win-core-heap-l1-1-0.dll",
"fD9$hu",
"pqacG%%apppppppaB",
"L$XE3",
"_lock",
"SetCurrentDirectoryW",
"tlfD9>tfI",
"@A_A^A\\",
"fD9 u",
"SETLOCAL",
"H!|$ L",
"owner dead",
"SetEnvironmentStringsW",
"T$PE3",
"t$0uKE3",
"_initterm",
"ext-ms-win-branding-winbrand-l1-2-0",
"@SVAUH",
"api-ms-win-core-apiquery-l1-1-0.dll",
"<>+-*/%()|^&=,",
" true",
".data",
"connection reset",
"UATAVH",
".CRT$XIZ",
"longjmp",
"NtQueryInformationToken",
"????????.???",
"wcstol",
"T$0E3",
"t~fA;",
"no_buffer_space",
"iswxdigit",
"ext-ms-win-shell-shell32-l1-3-0",
";l$0u",
"HH:mm:ss t",
".bss$pr00",
"T$8H;",
"ext-ms-win-shell-shell32-l1-2-2",
"operation_not_supported",
"Args: `%s' ",
"network_down",
"td@8=",
"ENDLOCAL",
"K9\\$",
"L$8E3",
"fB9<{u",
"fD9,ou",
".COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC",
"GetVolumeInformationW",
"UnhandledExceptionFilter",
">;u\\D",
"SetConsoleTitleW",
"fB9H",
"A_A^A]A\\]",
"GetCommandLineW",
"_wcslwr",
"L$@fA",
"api-ms-win-core-timezone-l1-1-0.dll",
"DeleteProcThreadAttributeList",
"8=unH",
"connection already in progress",
".idata$2",
" ",
"fD9 tuH",
"CreateMutexExW",
"ReturnHr",
".gljmp",
".xdata$x",
"??0exception@@QEAA@AEBV0@@Z",
"SetUnhandledExceptionFilter",
"f9/t+",
"WilError_03",
"GetVDMCurrentDirectoriesStub",
"\\XCOPY.EXE",
"SaferWorker",
"GetProcAddress",
"D;S$r",
"Local\\SM0:%d:%d:%hs",
"fD9+t",
"D$89|$P",
"memcpy_s",
"L$ E3",
"UVWATAUAVAWH",
"SetLocalTime",
"api-ms-win-core-handle-l1-1-0.dll",
"`.rdata",
"DelayedExpansion",
"Microsoft Corporation",
"f9,{u",
"invalid_argument",
"iswdigit",
"d$x@8=",
"_purecall",
"??0exception@@QEAA@AEBQEBD@Z",
"address family not supported",
".text",
" %x %c",
"tH",
"LeaveCriticalSection",
".text$di",
">2tFA",
"GetConsoleWindow",
"fD9#t",
"D$(E3",
"fE9<^u",
"L$(E3",
"api-ms-win-core-synch-l1-1-0.dll",
"L$8H3",
"|$@PE",
"L9N@A",
"H!|$`I",
"TryAcquireSRWLockExclusive",
"api-ms-win-core-console-l2-2-0.dll",
"argument list too long",
"wcsspn",
"D$l;E",
" A_A^A\\^]",
"not a directory",
"network_reset",
"api-ms-win-core-io-l1-1-0.dll",
"%02d%s%02d%s%02d",
"@SUVWH",
"Translation",
"operation in progress",
"tBD9t$pu;H",
"L$TE3",
"api-ms-win-core-synch-l1-2-0.dll",
"\\$ E3",
"fD94Cu",
"f94Au",
"GetEnvironmentStringsW",
"Software\\Microsoft\\Windows NT\\CurrentVersion",
"@8=D!",
"illegal byte sequence",
"fD9$Su",
"t,fD92t&I",
"state not recoverable",
"L$0E3",
"FreeEnvironmentStringsW",
".?AVexception@@",
"IDI_APPICON",
"A_A^_",
"message_size",
"no protocol option",
".rdata$brc",
"T$ H+",
"address in use",
"_XcptFilter",
"stream timeout",
"GetThreadGroupAffinity",
"Software\\Microsoft\\Command Processor",
".text$zy",
"WideCharToMultiByte",
"DoSHChangeNotify",
"|$ Hc",
"Cd$@H",
"0A_A^_",
"3t)E3",
"read only file system",
"8A^_^[",
"not supported",
"t$HM+",
"_tell",
"CreateFileW",
"dd/MM/yy",
"D$",
"destination_address_required",
"HeapReAlloc",
"fD94xu",
"f9/~sA",
"too many files open",
"DebugBreak",
"D$PE3",
";C$sD",
"LcA",
"fD90t",
"t$0fB",
"l$HE3",
"FlushConsoleInputBuffer",
"function not supported",
"RtlFindLeastSignificantBit",
"wcstoul",
" Operating System",
"WNetCancelConnection2WStub",
"ShellExecuteExW",
"device or resource busy",
"\\$ UVWAVAWH",
" A_A^A\\",
"@.reloc",
"GetThreadLocale",
"too_many_files_open",
"x UATAUAVAWH",
"Sh(PO",
">3t#A",
"u+fD9o",
"string too long",
".CRT$XIAA",
"t|D9t$xuuH",
"RtlNtStatusToDosError",
"fgets",
"RRRRP%",
"L$@E3",
"@A_A^_^]",
"pA_A^_^]",
"H9D$`",
"wwwwwwww",
"fD9DC",
"tbfA9",
"fD9TH,u",
"|$8D9{",
"_ultoa",
"!wct&",
"no message",
"M0H9M`t",
"START",
"HeapAlloc",
"memcpy",
"en-US",
".bss$dk00",
"RegCreateKeyExW",
"fD93u6H;",
"XXX8Pvh8v",
"9|$Ht",
"is a directory",
"PUSHD",
"pushd ",
"m;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\;C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\;C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps",
"rmdir ",
"f94Ku",
";:u8A",
";8uWH",
"f9tQ,u",
"fD9$Zu",
".text$lp01cmd.exe!20_pri7",
"D$0H;",
"FileTimeToLocalFileTime",
"ERASE",
"L9L$x",
"fE9,Fu",
"0A^_^][",
"D8L$iL",
"9\"tFH",
"\\uc@8=",
"D$ E3",
".idata$4",
"GetTickCount",
"_wcsicmp",
"SetEndOfFile",
"u%6RRRRRPp",
"CreateSymbolicLinkW",
"fD94Au",
".CRT$XCAA",
"f9,Su",
"DefaultColor",
"_get_osfhandle",
"GetDiskFreeSpaceExW",
"fE9$Ou",
"SearchPathW",
"tbD9t$Pu[H",
"VirtualAlloc",
".text$lp00cmd.exe!20_pri7",
"L$ UVWATAUAVAWH",
"CreateProcessW",
"\"t5fA",
"D$`fD98t",
"fD94wu",
"GetConsoleScreenBufferInfo",
".idata$6",
"!This program cannot be run in DOS mode.",
"f9,Cu",
"f9,Gu",
"operation not supported",
"connection_already_in_progress",
"__getmainargs",
"D$ L+",
"cmd.exe",
"A^A]_",
"],//cuu",
"APerformUnaryOperation: '%c'",
"D$ I+",
"f9",
".CRT$XCU",
"L$ SWH",
"SetFileTime",
"C:\\Windows\\system32\\cmd.exe",
".giats",
"fC9\\e",
"COLOR",
"f9,Xu",
"filename_too_long",
"PU,//",
"|$P.uEH",
"L$pH3",
"ShellExecuteWorker",
"0123456789",
"RtlLookupFunctionEntry",
"GetConsoleTitleW",
"|T0 s",
"RMDIR",
"",
"fA94Du",
"#D$D;",
"start /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\"",
"t\"D9%",
"%2d%s%02d%s%02d%s%02d",
"f94Ju",
"GetLocalTime",
"_wcsnicmp",
"cmd.pdb",
"",
"fD9,Gu",
"|$4fE99",
"operation_would_block"
],
"virustotal": {
"error": true,
"msg": "Unable to complete connection to VirusTotal. Status code: 429"
},
"executed_tools": [
"msi_extract",
"overlay",
"kixtart_extract",
"vbe_extract",
"batch_extract",
"UnAutoIt_extract",
"UPX_unpack",
"RarSFX_extract",
"Inno_extract",
"SevenZip_unpack",
"de4dot_deobfuscate",
"eziriz_deobfuscate",
"office_one"
],
"cape_type_code": 1,
"cape_type": "",
"process_path": "C:\\Windows\\System32\\cmd.exe",
"process_name": "cmd.exe",
"module_path": "C:\\Windows\\System32\\cmd.exe",
"pid": 540
}
],
"CAPE": {
"payloads": [],
"configs": []
},
"info": {
"version": "2.5",
"started": "2026-06-30 16:11:10",
"ended": "2026-06-30 16:14:14",
"duration": 184,
"id": 113,
"category": "file",
"custom": "",
"machine": {
"id": 113,
"status": "stopping",
"name": "win10",
"label": "win10",
"platform": "windows",
"manager": "KVM",
"started_on": "2026-06-30 16:11:10",
"shutdown_on": "2026-06-30 16:14:14"
},
"package": "batch",
"timeout": true,
"tlp": null,
"parent_sample": null,
"options": {
"vnc_port": "5900"
},
"source_url": null,
"route": "internet",
"user_id": 0,
"CAPE_current_commit": "394455c2cd85889fb0782bfcf1f8c5c2f7f77b46"
},
"behavior": {
"processes": [
{
"process_id": 540,
"process_name": "cmd.exe",
"parent_id": 2604,
"module_path": "C:\\Windows\\System32\\cmd.exe",
"first_seen": "2026-06-30 23:11:28,384",
"calls": [
{
"timestamp": "2026-06-30 23:11:28,634",
"thread_id": "1432",
"caller": "0x7ff82d644f9d",
"parentcaller": "0x7ff82d644b63",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 0
},
{
"timestamp": "2026-06-30 23:11:28,634",
"thread_id": "1432",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x7ff60e048f50"
},
{
"name": "Parameter",
"value": "0xedad6a4000"
}
],
"repeated": 0,
"id": 1
},
{
"timestamp": "2026-06-30 23:11:28,634",
"thread_id": "3612",
"caller": "0x7ff82d62ea52",
"parentcaller": "0x7ff82d5e77c3",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000038"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 3,
"id": 2
},
{
"timestamp": "2026-06-30 23:11:28,634",
"thread_id": "3768",
"caller": "0x7ff82b0c1751",
"parentcaller": "0x7ff82b0c1420",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xee\\xdf\\xad\\xed\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xee\\xdf\\xad\\xed\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 3
},
{
"timestamp": "2026-06-30 23:11:28,634",
"thread_id": "3612",
"caller": "0x7ff82b0c1751",
"parentcaller": "0x7ff82b0c1420",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00`\\xeb\\xcf\\xad\\xed\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xeb\\xcf\\xad\\xed\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 4
},
{
"timestamp": "2026-06-30 23:11:28,634",
"thread_id": "3768",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x7ff801842f10"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 5
},
{
"timestamp": "2026-06-30 23:11:28,634",
"thread_id": "3612",
"caller": "0x7ff82d644f9d",
"parentcaller": "0x7ff82d644b63",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 6
},
{
"timestamp": "2026-06-30 23:11:28,634",
"thread_id": "3612",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x7ff801843070"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 7
},
{
"timestamp": "2026-06-30 23:11:28,634",
"thread_id": "1636",
"caller": "0x7ff82b0c1751",
"parentcaller": "0x7ff82b0c1420",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xec\\xbf\\xad\\xed\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\xec\\xbf\\xad\\xed\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 8
},
{
"timestamp": "2026-06-30 23:11:28,634",
"thread_id": "1636",
"caller": "0x7ff82d644f9d",
"parentcaller": "0x7ff82d644b63",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 9
},
{
"timestamp": "2026-06-30 23:11:28,634",
"thread_id": "1636",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x7ff801842e50"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 10
},
{
"timestamp": "2026-06-30 23:11:28,634",
"thread_id": "4736",
"caller": "0x7ff82b0c1751",
"parentcaller": "0x7ff82b0c1420",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\xaf\\xad\\xed\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xf0\\xaf\\xad\\xed\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 11
},
{
"timestamp": "2026-06-30 23:11:28,634",
"thread_id": "4736",
"caller": "0x7ff82d644f9d",
"parentcaller": "0x7ff82d644b63",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 12
},
{
"timestamp": "2026-06-30 23:11:28,634",
"thread_id": "4736",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x7ff801842a40"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 13
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e0493c1",
"parentcaller": "0x7ff60e048e29",
"category": "hooking",
"api": "SetUnhandledExceptionFilter",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ExceptionFilter",
"value": "0x7ff60e049370"
}
],
"repeated": 0,
"id": 14
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e043828",
"parentcaller": "0x7ff60e048ecd",
"category": "threading",
"api": "NtOpenThread",
"status": false,
"return": "0xffffffffc0000022",
"pretty_return": "ACCESS_DENIED",
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000009"
},
{
"name": "DesiredAccess",
"value": "0x001fffff",
"pretty_value": "THREAD_ALL_ACCESS"
},
{
"name": "ProcessId",
"value": "0"
},
{
"name": "ThreadId",
"value": "18446744072323136648"
}
],
"repeated": 0,
"id": 15
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e04052c",
"parentcaller": "0x7ff60e043839",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x7ff82bee0000"
}
],
"repeated": 0,
"id": 16
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e04055b",
"parentcaller": "0x7ff60e043839",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x7ff82bee0000"
},
{
"name": "FunctionName",
"value": "SetThreadUILanguage"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x7ff82befc610"
}
],
"repeated": 0,
"id": 17
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e043839",
"parentcaller": "0x7ff60e048ecd",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xf8\\\\xad\\xed\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xed\\x00\\x00\\x00\\xa8\\xf8\\\\xad\\xed\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 18
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e04387c",
"parentcaller": "0x7ff60e048ecd",
"category": "registry",
"api": "RegOpenKeyExW",
"status": false,
"return": "0x00000002",
"arguments": [
{
"name": "Registry",
"value": "0x80000001",
"pretty_value": "HKEY_CURRENT_USER"
},
{
"name": "SubKey",
"value": "Software\\Policies\\Microsoft\\Windows\\System"
},
{
"name": "Handle",
"value": "0x00000000"
},
{
"name": "FullName",
"value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System"
}
],
"repeated": 0,
"id": 19
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e0438c6",
"parentcaller": "0x7ff60e048ecd",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00`\\xfb\\\\xad\\xed\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00h\\xfb\\\\xad\\xed\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 20
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e044de7",
"parentcaller": "0x7ff60e043931",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "T\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xf6\\x7f\\x00\\x00\\xb0\\xfa\\\\xad\\xed\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\xfa\\\\xad\\xed\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 21
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e044e0b",
"parentcaller": "0x7ff60e043931",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "P\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xf6\\x7f\\x00\\x00\\xb0\\xfa\\\\xad\\xed\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\xfa\\\\xad\\xed\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 22
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e0405a5",
"parentcaller": "0x7ff60e044e15",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "T\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xfb\\\\xad\\xed\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xfb\\\\xad\\xed\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 23
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e0405cc",
"parentcaller": "0x7ff60e044e15",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "T\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00(\\xdb\\x00\\x00\\x80\\xfa\\\\xad\\xed\\x00\\x00\\x00\\x04\\x00\\x00\\x00X\\xf0\\x00\\x00\\x88\\xfa\\\\xad\\xed\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 24
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e0406a0",
"parentcaller": "0x7ff60e044e15",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "T\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xfb\\\\xad\\xed\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xfb\\\\xad\\xed\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 25
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e04060c",
"parentcaller": "0x7ff60e044e15",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "P\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00(\\xdb\\x00\\x00\\x80\\xfa\\\\xad\\xed\\x00\\x00\\x00\\x04\\x00\\x00\\x00X\\xf0\\x00\\x00\\x88\\xfa\\\\xad\\xed\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 26
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e04064e",
"parentcaller": "0x7ff60e044e15",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "P\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xfb\\\\xad\\xed\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xfb\\\\xad\\xed\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 27
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e0455e1",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegOpenKeyExW",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Registry",
"value": "0x80000002",
"pretty_value": "HKEY_LOCAL_MACHINE"
},
{
"name": "SubKey",
"value": "Software\\Microsoft\\Command Processor"
},
{
"name": "Handle",
"value": "0x00000218"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
}
],
"repeated": 0,
"id": 28
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e04562a",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegQueryValueExW",
"status": false,
"return": "0x00000002",
"arguments": [
{
"name": "Handle",
"value": "0x00000218"
},
{
"name": "ValueName",
"value": "DisableUNCCheck"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DisableUNCCheck"
}
],
"repeated": 0,
"id": 29
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e04566e",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegQueryValueExW",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000218"
},
{
"name": "ValueName",
"value": "EnableExtensions"
},
{
"name": "Data",
"value": "1"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\EnableExtensions"
}
],
"repeated": 0,
"id": 30
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e0456c5",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegQueryValueExW",
"status": false,
"return": "0x00000002",
"arguments": [
{
"name": "Handle",
"value": "0x00000218"
},
{
"name": "ValueName",
"value": "DelayedExpansion"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DelayedExpansion"
}
],
"repeated": 0,
"id": 31
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e045709",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegQueryValueExW",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000218"
},
{
"name": "ValueName",
"value": "DefaultColor"
},
{
"name": "Data",
"value": "0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DefaultColor"
}
],
"repeated": 0,
"id": 32
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e045760",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegQueryValueExW",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000218"
},
{
"name": "ValueName",
"value": "CompletionChar"
},
{
"name": "Data",
"value": "9"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\CompletionChar"
}
],
"repeated": 0,
"id": 33
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e0457d6",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegQueryValueExW",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000218"
},
{
"name": "ValueName",
"value": "PathCompletionChar"
},
{
"name": "Data",
"value": "9"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\PathCompletionChar"
}
],
"repeated": 0,
"id": 34
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e045869",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegQueryValueExW",
"status": false,
"return": "0x00000002",
"arguments": [
{
"name": "Handle",
"value": "0x00000218"
},
{
"name": "ValueName",
"value": "AutoRun"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\AutoRun"
}
],
"repeated": 0,
"id": 35
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e045882",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegCloseKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000218"
}
],
"repeated": 0,
"id": 36
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e0455e1",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegOpenKeyExW",
"status": false,
"return": "0x00000002",
"arguments": [
{
"name": "Registry",
"value": "0x80000001",
"pretty_value": "HKEY_CURRENT_USER"
},
{
"name": "SubKey",
"value": "Software\\Microsoft\\Command Processor"
},
{
"name": "Handle",
"value": "0x00000000"
},
{
"name": "FullName",
"value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor"
}
],
"repeated": 0,
"id": 37
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e04589d",
"parentcaller": "0x7ff60e044e35",
"category": "system",
"api": "GetSystemTimeAsFileTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 38
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e0458ac",
"parentcaller": "0x7ff60e044e35",
"category": "misc",
"api": "srand",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "seed",
"value": "0x6a444d20"
}
],
"repeated": 0,
"id": 39
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e044e3c",
"parentcaller": "0x7ff60e043931",
"category": "misc",
"api": "GetCommandLineW",
"status": true,
"return": "0x286673e22b0",
"arguments": [
{
"name": "CommandLine",
"value": "\"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\""
}
],
"repeated": 0,
"id": 40
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x28668da7000"
},
{
"name": "RegionSize",
"value": "0x00008000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 41
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e044e88",
"parentcaller": "0x7ff60e043931",
"category": "misc",
"api": "GetCommandLineW",
"status": true,
"return": "0x286673e22b0",
"arguments": [
{
"name": "CommandLine",
"value": "\"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\""
}
],
"repeated": 0,
"id": 42
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x2866b190000"
},
{
"name": "RegionSize",
"value": "0x00100000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 43
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x2866b190000"
},
{
"name": "RegionSize",
"value": "0x00011000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 44
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x2866b1a1000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 45
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x2866b1b1000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 46
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e043e85",
"parentcaller": "0x7ff60e0424ca",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp"
}
],
"repeated": 0,
"id": 47
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e042a31",
"parentcaller": "0x7ff60e043ec7",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x28667402820",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users"
},
{
"name": "FirstCreateTimeLow",
"value": "0x3a6eea36"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01d5acdd"
}
],
"repeated": 0,
"id": 48
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e042a4e",
"parentcaller": "0x7ff60e043ec7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000218"
}
],
"repeated": 0,
"id": 49
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e042a31",
"parentcaller": "0x7ff60e043ec7",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x286674021c0",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh"
},
{
"name": "FirstCreateTimeLow",
"value": "0xeedf2ef8"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dd0776"
}
],
"repeated": 0,
"id": 50
},
{
"timestamp": "2026-06-30 23:11:28,649",
"thread_id": "1432",
"caller": "0x7ff60e042a4e",
"parentcaller": "0x7ff60e043ec7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000218"
}
],
"repeated": 0,
"id": 51
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e042a31",
"parentcaller": "0x7ff60e043ec7",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x28667402a00",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData"
},
{
"name": "FirstCreateTimeLow",
"value": "0xeee3f58c"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dd0776"
}
],
"repeated": 0,
"id": 52
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e042a4e",
"parentcaller": "0x7ff60e043ec7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000224"
}
],
"repeated": 0,
"id": 53
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e042a31",
"parentcaller": "0x7ff60e043ec7",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x286674023a0",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local"
},
{
"name": "FirstCreateTimeLow",
"value": "0xeee655e5"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dd0776"
}
],
"repeated": 0,
"id": 54
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e042a4e",
"parentcaller": "0x7ff60e043ec7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000224"
}
],
"repeated": 0,
"id": 55
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e042a31",
"parentcaller": "0x7ff60e043ec7",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x28667402760",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp"
},
{
"name": "FirstCreateTimeLow",
"value": "0xeee655e5"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dd0776"
}
],
"repeated": 0,
"id": 56
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e042a4e",
"parentcaller": "0x7ff60e043ec7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000224"
}
],
"repeated": 0,
"id": 57
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e043ef0",
"parentcaller": "0x7ff60e0424ca",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp"
}
],
"repeated": 0,
"id": 58
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e03cdc4",
"parentcaller": "0x7ff60e03aa92",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x2866740c000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 59
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e044f9c",
"parentcaller": "0x7ff60e043931",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x86\\x02\\x00\\x00\\xb0\\xfa\\\\xad\\xed\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\xfa\\\\xad\\xed\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 60
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e045513",
"parentcaller": "0x7ff60e04521e",
"category": "system",
"api": "GetUserDefaultLCID",
"status": true,
"return": "0x00000409",
"arguments": [
{
"name": "SystemDefaultLangID",
"value": "0x00000409"
},
{
"name": "LanguageName",
"value": "English (United States)"
}
],
"repeated": 1,
"id": 61
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e0454c4",
"parentcaller": "0x7ff60e044fc1",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x2866b1a1000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 62
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e0454c4",
"parentcaller": "0x7ff60e044fc1",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x28668dab000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 63
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e0454c4",
"parentcaller": "0x7ff60e044fc1",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x28668dab000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 64
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e044fff",
"parentcaller": "0x7ff60e043931",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x86\\x02\\x00\\x00\\x00\\xfb\\\\xad\\xed\\x00\\x00\\x00\\x08\\x00\\x00\\x003\\xcf\\x00\\x00\\x08\\xfb\\\\xad\\xed\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x90A>g\\x86\\x02\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 65
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e0450f9",
"parentcaller": "0x7ff60e043931",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x7ff82bee0000"
}
],
"repeated": 0,
"id": 66
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e045116",
"parentcaller": "0x7ff60e043931",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x7ff82bee0000"
},
{
"name": "FunctionName",
"value": "CopyFileExW"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x7ff82bf006c0"
}
],
"repeated": 0,
"id": 67
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e045137",
"parentcaller": "0x7ff60e043931",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x7ff82bee0000"
},
{
"name": "FunctionName",
"value": "IsDebuggerPresent"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x7ff82bf001b0"
}
],
"repeated": 0,
"id": 68
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e045151",
"parentcaller": "0x7ff60e043931",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x7ff82bee0000"
},
{
"name": "FunctionName",
"value": "SetConsoleInputExeNameW"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x7ff82b119ae0"
}
],
"repeated": 0,
"id": 69
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e04517c",
"parentcaller": "0x7ff60e043931",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x28668da6000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 70
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e04517c",
"parentcaller": "0x7ff60e043931",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x28668dac000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 71
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e03bea1",
"parentcaller": "0x7ff60e0439f4",
"category": "system",
"api": "FindFixAndRun",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Command",
"value": "start"
},
{
"name": "Arguments",
"value": " /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\""
}
],
"repeated": 0,
"id": 72
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e03c665",
"parentcaller": "0x7ff60e03bea1",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xf6\\\\xad\\xed\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\x88\\xf6\\\\xad\\xed\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\x86\\x02\\x00\\x00\\x90\\xf9\\\\xad\\xed\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 73
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x2866b1a1000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 74
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x28668da6000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 75
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x2866b1c1000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 76
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x2866b1c6000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 77
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x2866b1cb000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 78
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x2866b1d0000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 79
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x2866b1d5000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 80
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x2866b1da000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 81
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e03cdc4",
"parentcaller": "0x7ff60e040c97",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x28667411000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 82
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x286674021c0",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "FirstCreateTimeLow",
"value": "0x92de3a2e"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dd0891"
}
],
"repeated": 0,
"id": 83
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e043a5d",
"parentcaller": "0x7ff60e042fe0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000224"
}
],
"repeated": 0,
"id": 84
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e041257",
"parentcaller": "0x7ff60e035ea6",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x2866b1d9000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 85
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e036019",
"parentcaller": "0x7ff60e03c862",
"category": "process",
"api": "UpdateProcThreadAttribute",
"status": false,
"return": "0x00000001",
"arguments": [
{
"name": "Attribute",
"value": "393217"
},
{
"name": "Value",
"value": "309237645313"
}
],
"repeated": 0,
"id": 86
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e03608f",
"parentcaller": "0x7ff60e03c862",
"category": "process",
"api": "NtCreateUserProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0x00000228"
},
{
"name": "ThreadHandle",
"value": "0x00000224"
},
{
"name": "ProcessDesiredAccess",
"value": "0x02000000"
},
{
"name": "ThreadDesiredAccess",
"value": "0x02000000"
},
{
"name": "ProcessFileName",
"value": ""
},
{
"name": "ThreadName",
"value": ""
},
{
"name": "ImagePathName",
"value": "C:\\Windows\\system32\\cmd.exe"
},
{
"name": "CommandLine",
"value": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\""
},
{
"name": "DllPath",
"value": ""
},
{
"name": "ProcessId",
"value": "3712"
}
],
"repeated": 0,
"id": 87
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e03608f",
"parentcaller": "0x7ff60e03c862",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\system32\\Wldp"
},
{
"name": "DllBase",
"value": "0x7ff82a670000"
}
],
"repeated": 0,
"id": 88
},
{
"timestamp": "2026-06-30 23:11:28,665",
"thread_id": "1432",
"caller": "0x7ff60e03608f",
"parentcaller": "0x7ff60e03c862",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\windows.storage"
},
{
"name": "DllBase",
"value": "0x7ff828e10000"
}
],
"repeated": 0,
"id": 89
},
{
"timestamp": "2026-06-30 23:11:28,680",
"thread_id": "1432",
"caller": "0x7ff60e03608f",
"parentcaller": "0x7ff60e03c862",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\System32\\SHCORE"
},
{
"name": "DllBase",
"value": "0x7ff82c9e0000"
}
],
"repeated": 0,
"id": 90
},
{
"timestamp": "2026-06-30 23:11:28,680",
"thread_id": "1432",
"caller": "0x7ff60e03608f",
"parentcaller": "0x7ff60e03c862",
"category": "system",
"api": "NtQuerySystemTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 91
},
{
"timestamp": "2026-06-30 23:11:28,680",
"thread_id": "1432",
"caller": "0x7ff60e03608f",
"parentcaller": "0x7ff60e03c862",
"category": "system",
"api": "GetSystemTimeAsFileTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 1,
"id": 92
},
{
"timestamp": "2026-06-30 23:11:28,712",
"thread_id": "1432",
"caller": "0x7ff60e03608f",
"parentcaller": "0x7ff60e03c862",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "BaseAddress",
"value": "0x7ff82d5d0000"
}
],
"repeated": 0,
"id": 93
},
{
"timestamp": "2026-06-30 23:11:28,743",
"thread_id": "1432",
"caller": "0x7ff60e03608f",
"parentcaller": "0x7ff60e03c862",
"category": "process",
"api": "CreateProcessInternalW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ApplicationName",
"value": "C:\\Windows\\system32\\cmd.exe"
},
{
"name": "CommandLine",
"value": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\""
},
{
"name": "CreationFlags",
"value": "0x00080410",
"pretty_value": "CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT"
},
{
"name": "ProcessId",
"value": "3712"
},
{
"name": "ThreadId",
"value": "4076"
},
{
"name": "ParentHandle",
"value": "0xffffffff"
},
{
"name": "ProcessHandle",
"value": "0x00000228"
},
{
"name": "ThreadHandle",
"value": "0x00000224"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 1,
"id": 94
},
{
"timestamp": "2026-06-30 23:11:28,743",
"thread_id": "1432",
"caller": "0x7ff60e036126",
"parentcaller": "0x7ff60e03c862",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000224"
}
],
"repeated": 0,
"id": 95
},
{
"timestamp": "2026-06-30 23:11:28,743",
"thread_id": "1432",
"caller": "0x7ff60e045cd2",
"parentcaller": "0x7ff60e0540a5",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000228"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 0,
"id": 96
},
{
"timestamp": "2026-06-30 23:12:28,337",
"thread_id": "4852",
"caller": "0x7ff82d62461e",
"parentcaller": "0x7ff82d6236e8",
"category": "threading",
"api": "NtQueryInformationThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0xfffffffe"
},
{
"name": "ThreadInformationClass",
"value": "12"
},
{
"name": "ThreadInformation",
"value": "\\x00\\x00\\x00\\x00"
},
{
"name": "ThreadId",
"value": "4852"
}
],
"repeated": 0,
"id": 97
},
{
"timestamp": "2026-06-30 23:12:28,337",
"thread_id": "4728",
"caller": "0x7ff82d62463e",
"parentcaller": "0x7ff82d6236e8",
"category": "threading",
"api": "NtTerminateThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000000"
},
{
"name": "ExitStatus",
"value": "0x00000000"
},
{
"name": "ThreadId",
"value": "0"
},
{
"name": "ProcessId",
"value": "0"
}
],
"repeated": 0,
"id": 98
}
],
"threads": [
"1432",
"3612",
"3768",
"1636",
"4736",
"4852",
"4728"
],
"environ": {
"UserName": "Rajesh",
"ComputerName": "DESKTOP-P54VDBR",
"WindowsPath": "C:\\Windows",
"TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\"",
"RegisteredOwner": "",
"RegisteredOrganization": "",
"ProductName": "",
"SystemVolumeSerialNumber": "1c64-b66f",
"SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000",
"MachineGUID": "",
"MainExeBase": "0x7ff60e030000",
"MainExeSize": "0x00067000",
"Bitness": "64-bit"
},
"file_activities": {
"read_files": [],
"write_files": [],
"delete_files": []
}
},
{
"process_id": 3712,
"process_name": "cmd.exe",
"parent_id": 540,
"module_path": "C:\\Windows\\System32\\cmd.exe",
"first_seen": "2026-06-30 23:11:28,934",
"calls": [
{
"timestamp": "2026-06-30 23:11:29,169",
"thread_id": "4076",
"caller": "0x7ff82d644f9d",
"parentcaller": "0x7ff82d644b63",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 0
},
{
"timestamp": "2026-06-30 23:11:29,169",
"thread_id": "4076",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x7ff60e048f50"
},
{
"name": "Parameter",
"value": "0x7587fb0000"
}
],
"repeated": 0,
"id": 1
},
{
"timestamp": "2026-06-30 23:11:29,169",
"thread_id": "3440",
"caller": "0x7ff82d62ea52",
"parentcaller": "0x7ff82d5e77c3",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000038"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 3,
"id": 2
},
{
"timestamp": "2026-06-30 23:11:29,169",
"thread_id": "2708",
"caller": "0x7ff82b0c1751",
"parentcaller": "0x7ff82b0c1420",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xef_\\x88u\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\xef_\\x88u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 3
},
{
"timestamp": "2026-06-30 23:11:29,169",
"thread_id": "2708",
"caller": "0x7ff82d644f9d",
"parentcaller": "0x7ff82d644b63",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 4
},
{
"timestamp": "2026-06-30 23:11:29,169",
"thread_id": "2708",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x7ff801842f10"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 5
},
{
"timestamp": "2026-06-30 23:11:29,169",
"thread_id": "3440",
"caller": "0x7ff82b0c1751",
"parentcaller": "0x7ff82b0c1420",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xecO\\x88u\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\xecO\\x88u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 6
},
{
"timestamp": "2026-06-30 23:11:29,169",
"thread_id": "3440",
"caller": "0x7ff82d644f9d",
"parentcaller": "0x7ff82d644b63",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 7
},
{
"timestamp": "2026-06-30 23:11:29,169",
"thread_id": "3440",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x7ff801843070"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 8
},
{
"timestamp": "2026-06-30 23:11:29,169",
"thread_id": "2792",
"caller": "0x7ff82b0c1751",
"parentcaller": "0x7ff82b0c1420",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xf0?\\x88u\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xf0?\\x88u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 9
},
{
"timestamp": "2026-06-30 23:11:29,169",
"thread_id": "2792",
"caller": "0x7ff82d644f9d",
"parentcaller": "0x7ff82d644b63",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 10
},
{
"timestamp": "2026-06-30 23:11:29,169",
"thread_id": "2792",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x7ff801842e50"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 11
},
{
"timestamp": "2026-06-30 23:11:29,169",
"thread_id": "4044",
"caller": "0x7ff82b0c1751",
"parentcaller": "0x7ff82b0c1420",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xf0/\\x88u\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\xf0/\\x88u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 12
},
{
"timestamp": "2026-06-30 23:11:29,169",
"thread_id": "4044",
"caller": "0x7ff82d644f9d",
"parentcaller": "0x7ff82d644b63",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 13
},
{
"timestamp": "2026-06-30 23:11:29,169",
"thread_id": "4044",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x7ff801842a40"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 14
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e0493c1",
"parentcaller": "0x7ff60e048e29",
"category": "hooking",
"api": "SetUnhandledExceptionFilter",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ExceptionFilter",
"value": "0x7ff60e049370"
}
],
"repeated": 0,
"id": 15
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e043828",
"parentcaller": "0x7ff60e048ecd",
"category": "threading",
"api": "NtOpenThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000224"
},
{
"name": "DesiredAccess",
"value": "0x001fffff",
"pretty_value": "THREAD_ALL_ACCESS"
},
{
"name": "ProcessId",
"value": "3712"
},
{
"name": "ThreadId",
"value": "18446744071694186872"
}
],
"repeated": 0,
"id": 16
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e04052c",
"parentcaller": "0x7ff60e043839",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x7ff82bee0000"
}
],
"repeated": 0,
"id": 17
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e04055b",
"parentcaller": "0x7ff60e043839",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x7ff82bee0000"
},
{
"name": "FunctionName",
"value": "SetThreadUILanguage"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x7ff82befc610"
}
],
"repeated": 0,
"id": 18
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e043839",
"parentcaller": "0x7ff60e048ecd",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xf5\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00u\\x00\\x00\\x00\\x98\\xf5\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 19
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e04387c",
"parentcaller": "0x7ff60e048ecd",
"category": "registry",
"api": "RegOpenKeyExW",
"status": false,
"return": "0x00000002",
"arguments": [
{
"name": "Registry",
"value": "0x80000001",
"pretty_value": "HKEY_CURRENT_USER"
},
{
"name": "SubKey",
"value": "Software\\Policies\\Microsoft\\Windows\\System"
},
{
"name": "Handle",
"value": "0x00000000"
},
{
"name": "FullName",
"value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System"
}
],
"repeated": 0,
"id": 20
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e0438c6",
"parentcaller": "0x7ff60e048ecd",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00P\\xf8\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00X\\xf8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 21
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e044de7",
"parentcaller": "0x7ff60e043931",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xf6\\x7f\\x00\\x00\\xa0\\xf7\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xf7\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 22
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e044e0b",
"parentcaller": "0x7ff60e043931",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xf6\\x7f\\x00\\x00\\xa0\\xf7\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xf7\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 23
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e0405a5",
"parentcaller": "0x7ff60e044e15",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xf8\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xf8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 24
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e0405cc",
"parentcaller": "0x7ff60e044e15",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00m\r\\x00\\x00p\\xf7\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00Cd\\x00\\x00x\\xf7\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 25
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e0406a0",
"parentcaller": "0x7ff60e044e15",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xf8\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xf8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 26
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e04060c",
"parentcaller": "0x7ff60e044e15",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00m\r\\x00\\x00p\\xf7\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00Cd\\x00\\x00x\\xf7\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 27
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e04064e",
"parentcaller": "0x7ff60e044e15",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xf8\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xf8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 28
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e044a84",
"parentcaller": "0x7ff60e044e1a",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d373378000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 29
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e044a84",
"parentcaller": "0x7ff60e044b0c",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d373379000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 30
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e0455e1",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegOpenKeyExW",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Registry",
"value": "0x80000002",
"pretty_value": "HKEY_LOCAL_MACHINE"
},
{
"name": "SubKey",
"value": "Software\\Microsoft\\Command Processor"
},
{
"name": "Handle",
"value": "0x00000220"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
}
],
"repeated": 0,
"id": 31
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e04562a",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegQueryValueExW",
"status": false,
"return": "0x00000002",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
},
{
"name": "ValueName",
"value": "DisableUNCCheck"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DisableUNCCheck"
}
],
"repeated": 0,
"id": 32
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e04566e",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegQueryValueExW",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
},
{
"name": "ValueName",
"value": "EnableExtensions"
},
{
"name": "Data",
"value": "1"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\EnableExtensions"
}
],
"repeated": 0,
"id": 33
},
{
"timestamp": "2026-06-30 23:11:29,200",
"thread_id": "4076",
"caller": "0x7ff60e0456c5",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegQueryValueExW",
"status": false,
"return": "0x00000002",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
},
{
"name": "ValueName",
"value": "DelayedExpansion"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DelayedExpansion"
}
],
"repeated": 0,
"id": 34
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e045709",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegQueryValueExW",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
},
{
"name": "ValueName",
"value": "DefaultColor"
},
{
"name": "Data",
"value": "0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DefaultColor"
}
],
"repeated": 0,
"id": 35
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e045760",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegQueryValueExW",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
},
{
"name": "ValueName",
"value": "CompletionChar"
},
{
"name": "Data",
"value": "9"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\CompletionChar"
}
],
"repeated": 0,
"id": 36
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e0457d6",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegQueryValueExW",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
},
{
"name": "ValueName",
"value": "PathCompletionChar"
},
{
"name": "Data",
"value": "9"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\PathCompletionChar"
}
],
"repeated": 0,
"id": 37
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e045869",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegQueryValueExW",
"status": false,
"return": "0x00000002",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
},
{
"name": "ValueName",
"value": "AutoRun"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\AutoRun"
}
],
"repeated": 0,
"id": 38
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e045882",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegCloseKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
}
],
"repeated": 0,
"id": 39
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e0455e1",
"parentcaller": "0x7ff60e044e35",
"category": "registry",
"api": "RegOpenKeyExW",
"status": false,
"return": "0x00000002",
"arguments": [
{
"name": "Registry",
"value": "0x80000001",
"pretty_value": "HKEY_CURRENT_USER"
},
{
"name": "SubKey",
"value": "Software\\Microsoft\\Command Processor"
},
{
"name": "Handle",
"value": "0x00000000"
},
{
"name": "FullName",
"value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor"
}
],
"repeated": 0,
"id": 40
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e04589d",
"parentcaller": "0x7ff60e044e35",
"category": "system",
"api": "GetSystemTimeAsFileTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 41
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e0458ac",
"parentcaller": "0x7ff60e044e35",
"category": "misc",
"api": "srand",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "seed",
"value": "0x6a444d21"
}
],
"repeated": 0,
"id": 42
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e044e3c",
"parentcaller": "0x7ff60e043931",
"category": "misc",
"api": "GetCommandLineW",
"status": true,
"return": "0x1d373352310",
"arguments": [
{
"name": "CommandLine",
"value": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\""
}
],
"repeated": 0,
"id": 43
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d373347000"
},
{
"name": "RegionSize",
"value": "0x00008000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 44
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e044e88",
"parentcaller": "0x7ff60e043931",
"category": "misc",
"api": "GetCommandLineW",
"status": true,
"return": "0x1d373352310",
"arguments": [
{
"name": "CommandLine",
"value": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\""
}
],
"repeated": 0,
"id": 45
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3765d0000"
},
{
"name": "RegionSize",
"value": "0x00100000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 46
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3765d0000"
},
{
"name": "RegionSize",
"value": "0x00011000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 47
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3765e1000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 48
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3765f1000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 49
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e043e85",
"parentcaller": "0x7ff60e0424ca",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp"
}
],
"repeated": 0,
"id": 50
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e042a31",
"parentcaller": "0x7ff60e043ec7",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x1d3733723e0",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users"
},
{
"name": "FirstCreateTimeLow",
"value": "0x3a6eea36"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01d5acdd"
}
],
"repeated": 0,
"id": 51
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e042a4e",
"parentcaller": "0x7ff60e043ec7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
}
],
"repeated": 0,
"id": 52
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e042a31",
"parentcaller": "0x7ff60e043ec7",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x1d373372380",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh"
},
{
"name": "FirstCreateTimeLow",
"value": "0xeedf2ef8"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dd0776"
}
],
"repeated": 0,
"id": 53
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e042a4e",
"parentcaller": "0x7ff60e043ec7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
}
],
"repeated": 0,
"id": 54
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e042a31",
"parentcaller": "0x7ff60e043ec7",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x1d373372080",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData"
},
{
"name": "FirstCreateTimeLow",
"value": "0xeee3f58c"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dd0776"
}
],
"repeated": 0,
"id": 55
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e042a4e",
"parentcaller": "0x7ff60e043ec7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
}
],
"repeated": 0,
"id": 56
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e042a31",
"parentcaller": "0x7ff60e043ec7",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x1d373372bc0",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local"
},
{
"name": "FirstCreateTimeLow",
"value": "0xeee655e5"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dd0776"
}
],
"repeated": 0,
"id": 57
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e042a4e",
"parentcaller": "0x7ff60e043ec7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
}
],
"repeated": 0,
"id": 58
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e042a31",
"parentcaller": "0x7ff60e043ec7",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x1d373372500",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp"
},
{
"name": "FirstCreateTimeLow",
"value": "0xeee655e5"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dd0776"
}
],
"repeated": 0,
"id": 59
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e042a4e",
"parentcaller": "0x7ff60e043ec7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
}
],
"repeated": 0,
"id": 60
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e043ef0",
"parentcaller": "0x7ff60e0424ca",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp"
}
],
"repeated": 0,
"id": 61
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e03cdc4",
"parentcaller": "0x7ff60e03aa92",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d37337a000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 62
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e03cdc4",
"parentcaller": "0x7ff60e03abf9",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d37337f000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 63
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e03cdc4",
"parentcaller": "0x7ff60e03ac03",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d373384000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 64
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e044f9c",
"parentcaller": "0x7ff60e043931",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xd3\\x01\\x00\\x00\\xa0\\xf7\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xf7\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 65
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e045513",
"parentcaller": "0x7ff60e04521e",
"category": "system",
"api": "GetUserDefaultLCID",
"status": true,
"return": "0x00000409",
"arguments": [
{
"name": "SystemDefaultLangID",
"value": "0x00000409"
},
{
"name": "LanguageName",
"value": "English (United States)"
}
],
"repeated": 1,
"id": 66
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e0454c4",
"parentcaller": "0x7ff60e044fc1",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3765e1000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 67
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e0454c4",
"parentcaller": "0x7ff60e044fc1",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d37334b000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 68
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e0454c4",
"parentcaller": "0x7ff60e044fc1",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d37334b000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 69
},
{
"timestamp": "2026-06-30 23:11:29,216",
"thread_id": "4076",
"caller": "0x7ff60e044fff",
"parentcaller": "0x7ff60e043931",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xd3\\x01\\x00\\x00\\xf0\\xf7\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x98\\xe8\\x00\\x00\\xf8\\xf7\\xdf\\x87u\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\x00p\\x885s\\xd3\\x01\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 70
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e045022",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xf7\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xd3\\x01\\x00\\x00x\\xf7\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 71
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e045052",
"parentcaller": "0x7ff60e043931",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xf7\\xdf\\x87u\\x00\\x00\\x00\\\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\xa8\\xf7\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 72
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e0450f9",
"parentcaller": "0x7ff60e043931",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x7ff82bee0000"
}
],
"repeated": 0,
"id": 73
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e045116",
"parentcaller": "0x7ff60e043931",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x7ff82bee0000"
},
{
"name": "FunctionName",
"value": "CopyFileExW"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x7ff82bf006c0"
}
],
"repeated": 0,
"id": 74
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e045137",
"parentcaller": "0x7ff60e043931",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x7ff82bee0000"
},
{
"name": "FunctionName",
"value": "IsDebuggerPresent"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x7ff82bf001b0"
}
],
"repeated": 0,
"id": 75
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e045151",
"parentcaller": "0x7ff60e043931",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x7ff82bee0000"
},
{
"name": "FunctionName",
"value": "SetConsoleInputExeNameW"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x7ff82b119ae0"
}
],
"repeated": 0,
"id": 76
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e04517c",
"parentcaller": "0x7ff60e043931",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d373347000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 77
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e04517c",
"parentcaller": "0x7ff60e043931",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d37334c000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 78
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e03bea1",
"parentcaller": "0x7ff60e0439f4",
"category": "system",
"api": "FindFixAndRun",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Command",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "Arguments",
"value": ""
}
],
"repeated": 0,
"id": 79
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e03c665",
"parentcaller": "0x7ff60e03bea1",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xf3\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00x\\xf3\\xdf\\x87u\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\xd3\\x01\\x00\\x00\\x80\\xf6\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 80
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3765e1000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 81
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e038ac1",
"parentcaller": "0x7ff60e03c970",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000220"
},
{
"name": "DesiredAccess",
"value": "0x00100000",
"pretty_value": "SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\"
},
{
"name": "ShareAccess",
"value": "3",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
}
],
"repeated": 0,
"id": 82
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e038ac1",
"parentcaller": "0x7ff60e03c970",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000220"
},
{
"name": "HandleName",
"value": "C:\\"
},
{
"name": "FileInformationClass",
"value": "9",
"pretty_value": "FileNameInformation"
},
{
"name": "FileInformation",
"value": "\\x02\\x00\\x00\\x00\\\\x00"
}
],
"repeated": 0,
"id": 83
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e038ac1",
"parentcaller": "0x7ff60e03c970",
"category": "filesystem",
"api": "GetVolumeInformationByHandleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
},
{
"name": "VolumeName",
"value": ""
},
{
"name": "VolumeSerial",
"value": "0x1c64b66f"
}
],
"repeated": 0,
"id": 84
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e038ac1",
"parentcaller": "0x7ff60e03c970",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
}
],
"repeated": 0,
"id": 85
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e03cdc4",
"parentcaller": "0x7ff60e045b12",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d373386000"
},
{
"name": "RegionSize",
"value": "0x00012000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 86
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e03cdc4",
"parentcaller": "0x7ff60e040c97",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d373399000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 87
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": true,
"return": "0x1d373372920",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "FirstCreateTimeLow",
"value": "0x92de3a2e"
},
{
"name": "FirstCreateTimeHigh",
"value": "0x01dd0891"
}
],
"repeated": 0,
"id": 88
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e043a5d",
"parentcaller": "0x7ff60e042fe0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
}
],
"repeated": 0,
"id": 89
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e045bce",
"parentcaller": "0x7ff60e03c9bd",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf1\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xf1\\xdf\\x87u\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf2\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 90
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e04c73d",
"parentcaller": "0x7ff60e045bdb",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00u\\x00\\x00\\x00\\xd0\\xf0\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\xf0\\xdf\\x87u\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xa0A5s\\xd3\\x01\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 91
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "93"
},
{
"name": "ProcessInformation",
"value": "\\x7f7\\x9e}"
}
],
"repeated": 0,
"id": 92
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "threading",
"api": "NtQueryInformationThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0xfffffffe"
},
{
"name": "ThreadInformationClass",
"value": "42"
},
{
"name": "ThreadInformation",
"value": "\\x00\\x00\\x00\\x00"
},
{
"name": "ThreadId",
"value": "4076"
}
],
"repeated": 0,
"id": 93
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "process",
"api": "NtOpenSection",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x0000000d"
},
{
"name": "ObjectAttributes",
"value": "cmdext.dll"
}
],
"repeated": 0,
"id": 94
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\cmdext.dll"
}
],
"repeated": 0,
"id": 95
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000220"
},
{
"name": "DesiredAccess",
"value": "0x00100021",
"pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\cmdext.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 96
},
{
"timestamp": "2026-06-30 23:11:29,231",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x0000021c"
},
{
"name": "DesiredAccess",
"value": "0x0000000d",
"pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x00000220"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\cmdext.dll"
}
],
"repeated": 0,
"id": 97
},
{
"timestamp": "2026-06-30 23:11:29,247",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x0000021c"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7ff8247a0000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x0000c000"
},
{
"name": "Win32Protect",
"value": "0x00000080",
"pretty_value": "PAGE_EXECUTE_WRITECOPY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 98
},
{
"timestamp": "2026-06-30 23:11:29,247",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7ff8247a9000"
},
{
"name": "ModuleName",
"value": "cmdext.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 99
},
{
"timestamp": "2026-06-30 23:11:29,247",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7ff8247a5000"
},
{
"name": "ModuleName",
"value": "cmdext.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 100
},
{
"timestamp": "2026-06-30 23:11:29,247",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7ff8247a5000"
},
{
"name": "ModuleName",
"value": "cmdext.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 101
},
{
"timestamp": "2026-06-30 23:11:29,247",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7ff8247a5000"
},
{
"name": "ModuleName",
"value": "cmdext.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 102
},
{
"timestamp": "2026-06-30 23:11:29,247",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7ff8247a5000"
},
{
"name": "ModuleName",
"value": "cmdext.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 103
},
{
"timestamp": "2026-06-30 23:11:29,247",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7ff8247a5000"
},
{
"name": "ModuleName",
"value": "cmdext.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 104
},
{
"timestamp": "2026-06-30 23:11:29,247",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000021c"
}
],
"repeated": 0,
"id": 105
},
{
"timestamp": "2026-06-30 23:11:29,247",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
}
],
"repeated": 0,
"id": 106
},
{
"timestamp": "2026-06-30 23:11:29,247",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7ff8247a5000"
},
{
"name": "ModuleName",
"value": "cmdext.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 107
},
{
"timestamp": "2026-06-30 23:11:29,247",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\cmdext"
},
{
"name": "DllBase",
"value": "0x7ff8247a0000"
}
],
"repeated": 0,
"id": 108
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmdext"
},
{
"name": "BaseAddress",
"value": "0x7ff8247a0000"
},
{
"name": "InitRoutine",
"value": "0x7ff8247a14f0"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 109
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7ff60e08c000"
},
{
"name": "ModuleName",
"value": "cmd.exe"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 110
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e048b32",
"parentcaller": "0x7ff60e04985b",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7ff60e08c000"
},
{
"name": "ModuleName",
"value": "cmd.exe"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 111
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e04208a",
"parentcaller": "0x7ff60e03980b",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7ff8247a9000"
},
{
"name": "ModuleName",
"value": "cmdext.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 112
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e04208a",
"parentcaller": "0x7ff60e03980b",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7ff8247a9000"
},
{
"name": "ModuleName",
"value": "cmdext.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 113
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e04208a",
"parentcaller": "0x7ff60e03980b",
"category": "system",
"api": "GetSystemTimeAsFileTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 114
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e04208a",
"parentcaller": "0x7ff60e03980b",
"category": "misc",
"api": "SaferIdentifyLevel",
"status": true,
"return": "0x00000001",
"arguments": [],
"repeated": 0,
"id": 115
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e04208a",
"parentcaller": "0x7ff60e03980b",
"category": "registry",
"api": "NtOpenKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00000003",
"pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Option"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Option"
}
],
"repeated": 0,
"id": 116
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e04208a",
"parentcaller": "0x7ff60e03980b",
"category": "process",
"api": "NtOpenProcessToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "DesiredAccess",
"value": "0x0002000a"
},
{
"name": "TokenHandle",
"value": "0x00000220"
}
],
"repeated": 0,
"id": 117
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e04208a",
"parentcaller": "0x7ff60e03980b",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "8"
},
{
"name": "TokenInformation",
"value": "\\x01\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 118
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e04208a",
"parentcaller": "0x7ff60e03980b",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000218"
}
],
"repeated": 0,
"id": 119
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e04208a",
"parentcaller": "0x7ff60e03980b",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d37337a000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 120
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e04208a",
"parentcaller": "0x7ff60e03980b",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "1"
},
{
"name": "TokenInformation",
"value": "P\\x9a7s\\xd3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 121
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e04208a",
"parentcaller": "0x7ff60e03980b",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "15"
},
{
"name": "TokenInformation",
"value": "\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 122
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e04208a",
"parentcaller": "0x7ff60e03980b",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
}
],
"repeated": 0,
"id": 123
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d373347000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 124
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e042784",
"parentcaller": "0x7ff60e0404ae",
"category": "filesystem",
"api": "NtCreateFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000220"
},
{
"name": "DesiredAccess",
"value": "0x80100080",
"pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "CreateDisposition",
"value": "1",
"pretty_value": "FILE_OPEN"
},
{
"name": "ShareAccess",
"value": "3",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
},
{
"name": "FileAttributes",
"value": "0x00000080",
"pretty_value": "FILE_ATTRIBUTE_NORMAL"
},
{
"name": "ExistedBefore",
"value": "yes"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 125
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e0404da",
"parentcaller": "0x7ff60e03ce8d",
"category": "filesystem",
"api": "NtSetInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000220"
},
{
"name": "HandleName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 2,
"id": 126
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e040099",
"parentcaller": "0x7ff60e03f9b7",
"category": "filesystem",
"api": "NtReadFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000220"
},
{
"name": "HandleName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "Buffer",
"value": "start \"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe --disable-features=RendererCodeIntegrity \"https://accounts.google.com/lifecycle/steps/signup/name?continue=https://www.google.com/&dsh=S1728256510:1782835636577168&flowEntry=SignUp&flowName"
},
{
"name": "Length",
"value": "443"
}
],
"repeated": 0,
"id": 127
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e03fc59",
"parentcaller": "0x7ff60e03fb52",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d373396000"
},
{
"name": "RegionSize",
"value": "0x00022000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 128
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e04004c",
"parentcaller": "0x7ff60e03f9b7",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000220"
},
{
"name": "HandleName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "\\xbb\\x01\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 1,
"id": 129
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e040099",
"parentcaller": "0x7ff60e03f9b7",
"category": "filesystem",
"api": "NtReadFile",
"status": false,
"return": "0xffffffffc0000011",
"pretty_return": "END_OF_FILE",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000220"
},
{
"name": "HandleName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "Buffer",
"value": ""
},
{
"name": "Length",
"value": "0"
}
],
"repeated": 0,
"id": 130
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e03fb34",
"parentcaller": "0x7ff60e03f50b",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000220"
},
{
"name": "HandleName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "FileInformationClass",
"value": "5",
"pretty_value": "FileStandardInformation"
},
{
"name": "FileInformation",
"value": "\\xc0\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xbb\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 131
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e03fb34",
"parentcaller": "0x7ff60e03f50b",
"category": "filesystem",
"api": "NtSetInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000220"
},
{
"name": "HandleName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "\\xbb\\x01\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 2,
"id": 132
},
{
"timestamp": "2026-06-30 23:11:29,263",
"thread_id": "4076",
"caller": "0x7ff60e03cec6",
"parentcaller": "0x7ff60e039826",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000220"
}
],
"repeated": 0,
"id": 133
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xe7\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00\\xe8\\xe7\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 134
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "\r\n"
}
],
"repeated": 0,
"id": 135
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376601000"
},
{
"name": "RegionSize",
"value": "0x00011000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 136
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xe8\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00\\x18\\xe8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 137
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e05c6ce",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp>"
}
],
"repeated": 0,
"id": 138
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xea\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xea\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 139
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e0579d6",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "start"
}
],
"repeated": 0,
"id": 140
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\xea\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x008\\xea\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 141
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": " \"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe --disable-features=RendererCodeIntegrity \"https://accounts.google.com/lifecycle/steps/signup/name?continue=https://www.google.com/ "
}
],
"repeated": 0,
"id": 142
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xea\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00x\\xea\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 143
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": " & "
}
],
"repeated": 0,
"id": 144
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\xf0\\xe9\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\xe9\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 145
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e0579d6",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "dsh"
}
],
"repeated": 0,
"id": 146
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe9\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00\\xc8\\xe9\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 147
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "=S1728256510:1782835636577168 "
}
],
"repeated": 0,
"id": 148
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00\\x08\\xea\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 149
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": " & "
}
],
"repeated": 0,
"id": 150
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\x80\\xe9\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xe9\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 151
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e0579d6",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "flowEntry"
}
],
"repeated": 0,
"id": 152
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xe9\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00X\\xe9\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 153
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "=SignUp "
}
],
"repeated": 0,
"id": 154
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xe9\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00\\x98\\xe9\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 155
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": " & "
}
],
"repeated": 0,
"id": 156
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\x10\\xe9\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xe9\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 157
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e0579d6",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "flowName"
}
],
"repeated": 0,
"id": 158
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xe8\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00\\xe8\\xe8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 159
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "=GlifWebSignIn "
}
],
"repeated": 0,
"id": 160
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00(\\xe9\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 161
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": " & "
}
],
"repeated": 0,
"id": 162
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\xa0\\xe8\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xe8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 163
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e0579d6",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "gae"
}
],
"repeated": 0,
"id": 164
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xe8\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00x\\xe8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 165
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "=cb-none "
}
],
"repeated": 0,
"id": 166
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xe8\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00\\xb8\\xe8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 167
},
{
"timestamp": "2026-06-30 23:11:29,278",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": " & "
}
],
"repeated": 0,
"id": 168
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xf8\\x7f\\x00\\x000\\xe8\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\xe8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 169
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e0579d6",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "hl"
}
],
"repeated": 0,
"id": 170
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00\\x08\\xe8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 171
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "=en "
}
],
"repeated": 0,
"id": 172
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xe8\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00H\\xe8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 173
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": " & "
}
],
"repeated": 0,
"id": 174
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\xc0\\xe7\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xe7\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 175
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e0579d6",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "ifkv"
}
],
"repeated": 0,
"id": 176
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xe7\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00\\x98\\xe7\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 177
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "=AcDsRvw1CVsatnVW1CzmzWxQ1V9pF_Jx6qr7YX2pv5dF3ZGMdZRyE_qxOcHoXhFXQ1a1udHRcipYUQ "
}
],
"repeated": 0,
"id": 178
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe7\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00\\xd8\\xe7\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 179
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": " & "
}
],
"repeated": 0,
"id": 180
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe7\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xf7\\x7f\\x00\\x00\\xc8\\xe7\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 181
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e0579d6",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "TL"
}
],
"repeated": 0,
"id": 182
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xe7\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00\\x98\\xe7\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 183
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "=ADCchmYjO8KuFmMZ51Nd2dCy-QPkK3MUbwYbQkB1CTnKBntpStl5cylS4R6mzDzE\" \" "
}
],
"repeated": 0,
"id": 184
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xea\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00\\xe8\\xea\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 185
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "\r\n"
}
],
"repeated": 0,
"id": 186
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376612000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 187
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e03bea1",
"parentcaller": "0x7ff60e03b8d4",
"category": "system",
"api": "FindFixAndRun",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Command",
"value": "start"
},
{
"name": "Arguments",
"value": " \"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe --disable-features=RendererCodeIntegrity \"https://accounts.google.com/lifecycle/steps/signup/name?continue=https://www.google.com/"
}
],
"repeated": 0,
"id": 188
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e03c665",
"parentcaller": "0x7ff60e03bea1",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xe5\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\xe8\\xe5\\xdf\\x87u\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\xd3\\x01\\x00\\x00\\xf0\\xe8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 189
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376622000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 190
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376632000"
},
{
"name": "RegionSize",
"value": "0x00010000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 191
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376642000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 192
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376647000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 193
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d37664c000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 194
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376651000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 195
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376656000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 196
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0332e8",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xdd\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xdd\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 197
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e033310",
"parentcaller": "0x7ff60e0332a4",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xdd\\xdf\\x87u\\x00\\x00\\x00\\\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\xc8\\xdd\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 198
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e03338b",
"parentcaller": "0x7ff60e0332a4",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000064"
},
{
"name": "Buffer",
"value": "Invalid switch - \"/\".\r\n"
}
],
"repeated": 0,
"id": 199
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e03618e",
"parentcaller": "0x7ff60e03c862",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d37664d000"
},
{
"name": "RegionSize",
"value": "0x0000d000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 200
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e0361a2",
"parentcaller": "0x7ff60e03c862",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d37664d000"
},
{
"name": "RegionSize",
"value": "0x0000d000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 201
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e0361ca",
"parentcaller": "0x7ff60e03c862",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376641000"
},
{
"name": "RegionSize",
"value": "0x00019000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 202
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e036204",
"parentcaller": "0x7ff60e03c862",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376641000"
},
{
"name": "RegionSize",
"value": "0x00019000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 203
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e036204",
"parentcaller": "0x7ff60e03c862",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376631000"
},
{
"name": "RegionSize",
"value": "0x00029000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 204
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e036204",
"parentcaller": "0x7ff60e03c862",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d373347000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 205
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e04857e",
"parentcaller": "0x7ff60e03c87c",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376631000"
},
{
"name": "RegionSize",
"value": "0x00029000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 206
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e04857e",
"parentcaller": "0x7ff60e03c87c",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376621000"
},
{
"name": "RegionSize",
"value": "0x00039000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 207
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e03bea1",
"parentcaller": "0x7ff60e03b8d4",
"category": "system",
"api": "FindFixAndRun",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Command",
"value": "dsh"
},
{
"name": "Arguments",
"value": "=S1728256510:1782835636577168"
}
],
"repeated": 0,
"id": 208
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e03c665",
"parentcaller": "0x7ff60e03bea1",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xe5\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00X\\xe5\\xdf\\x87u\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\xd3\\x01\\x00\\x00`\\xe8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 209
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376621000"
},
{
"name": "RegionSize",
"value": "0x00039000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 210
},
{
"timestamp": "2026-06-30 23:11:29,294",
"thread_id": "4076",
"caller": "0x7ff60e03cdc4",
"parentcaller": "0x7ff60e040c97",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3733b9000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 211
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\dsh.*"
}
],
"repeated": 0,
"id": 212
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\dsh.*"
}
],
"repeated": 0,
"id": 213
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\dsh.*"
}
],
"repeated": 0,
"id": 214
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\wbem\\dsh.*"
}
],
"repeated": 0,
"id": 215
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\dsh.*"
}
],
"repeated": 0,
"id": 216
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\OpenSSH\\dsh.*"
}
],
"repeated": 0,
"id": 217
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\dsh.*"
}
],
"repeated": 0,
"id": 218
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\dsh.*"
}
],
"repeated": 0,
"id": 219
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps\\dsh.*"
}
],
"repeated": 0,
"id": 220
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0332e8",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xe1\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\xe1\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 221
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e033310",
"parentcaller": "0x7ff60e0332a4",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xe1\\xdf\\x87u\\x00\\x00\\x00\\\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\xa8\\xe1\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 222
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e03338b",
"parentcaller": "0x7ff60e0332a4",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000064"
},
{
"name": "Buffer",
"value": "'dsh' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n"
}
],
"repeated": 0,
"id": 223
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e04857e",
"parentcaller": "0x7ff60e03c9c9",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376621000"
},
{
"name": "RegionSize",
"value": "0x00039000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 224
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e03bea1",
"parentcaller": "0x7ff60e03b8d4",
"category": "system",
"api": "FindFixAndRun",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Command",
"value": "flowEntry"
},
{
"name": "Arguments",
"value": "=SignUp"
}
],
"repeated": 0,
"id": 225
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e03c665",
"parentcaller": "0x7ff60e03bea1",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe4\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\xc8\\xe4\\xdf\\x87u\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\xd3\\x01\\x00\\x00\\xd0\\xe7\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 226
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376621000"
},
{
"name": "RegionSize",
"value": "0x00039000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 227
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\flowEntry.*"
}
],
"repeated": 0,
"id": 228
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\flowEntry.*"
}
],
"repeated": 0,
"id": 229
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\flowEntry.*"
}
],
"repeated": 0,
"id": 230
},
{
"timestamp": "2026-06-30 23:11:29,309",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\wbem\\flowEntry.*"
}
],
"repeated": 0,
"id": 231
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\flowEntry.*"
}
],
"repeated": 0,
"id": 232
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\OpenSSH\\flowEntry.*"
}
],
"repeated": 0,
"id": 233
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\flowEntry.*"
}
],
"repeated": 0,
"id": 234
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\flowEntry.*"
}
],
"repeated": 0,
"id": 235
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps\\flowEntry.*"
}
],
"repeated": 0,
"id": 236
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0332e8",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xe0\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xe0\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 237
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e033310",
"parentcaller": "0x7ff60e0332a4",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xe1\\xdf\\x87u\\x00\\x00\\x00\\\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\x18\\xe1\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 238
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e03338b",
"parentcaller": "0x7ff60e0332a4",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000064"
},
{
"name": "Buffer",
"value": "'flowEntry' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n"
}
],
"repeated": 0,
"id": 239
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e04857e",
"parentcaller": "0x7ff60e03c9c9",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376621000"
},
{
"name": "RegionSize",
"value": "0x00039000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 240
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e03bea1",
"parentcaller": "0x7ff60e03b8d4",
"category": "system",
"api": "FindFixAndRun",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Command",
"value": "flowName"
},
{
"name": "Arguments",
"value": "=GlifWebSignIn"
}
],
"repeated": 0,
"id": 241
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e03c665",
"parentcaller": "0x7ff60e03bea1",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\xe4\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf8\\x7f\\x00\\x008\\xe4\\xdf\\x87u\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\xd3\\x01\\x00\\x00@\\xe7\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 242
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376621000"
},
{
"name": "RegionSize",
"value": "0x00039000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 243
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e03cdc4",
"parentcaller": "0x7ff60e040c97",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3733d9000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 244
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\flowName.*"
}
],
"repeated": 0,
"id": 245
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\flowName.*"
}
],
"repeated": 0,
"id": 246
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\flowName.*"
}
],
"repeated": 0,
"id": 247
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\wbem\\flowName.*"
}
],
"repeated": 0,
"id": 248
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\flowName.*"
}
],
"repeated": 0,
"id": 249
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\OpenSSH\\flowName.*"
}
],
"repeated": 0,
"id": 250
},
{
"timestamp": "2026-06-30 23:11:29,325",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\flowName.*"
}
],
"repeated": 0,
"id": 251
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\flowName.*"
}
],
"repeated": 0,
"id": 252
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps\\flowName.*"
}
],
"repeated": 0,
"id": 253
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0332e8",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xe0\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xe0\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 254
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e033310",
"parentcaller": "0x7ff60e0332a4",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xe0\\xdf\\x87u\\x00\\x00\\x00\\\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\x88\\xe0\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 255
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e03338b",
"parentcaller": "0x7ff60e0332a4",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000064"
},
{
"name": "Buffer",
"value": "'flowName' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n"
}
],
"repeated": 0,
"id": 256
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e04857e",
"parentcaller": "0x7ff60e03c9c9",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376621000"
},
{
"name": "RegionSize",
"value": "0x00039000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 257
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e03bea1",
"parentcaller": "0x7ff60e03b8d4",
"category": "system",
"api": "FindFixAndRun",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Command",
"value": "gae"
},
{
"name": "Arguments",
"value": "=cb-none"
}
],
"repeated": 0,
"id": 258
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e03c665",
"parentcaller": "0x7ff60e03bea1",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xe3\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\xa8\\xe3\\xdf\\x87u\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\xd3\\x01\\x00\\x00\\xb0\\xe6\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 259
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376621000"
},
{
"name": "RegionSize",
"value": "0x00039000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 260
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\gae.*"
}
],
"repeated": 0,
"id": 261
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\gae.*"
}
],
"repeated": 0,
"id": 262
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\gae.*"
}
],
"repeated": 0,
"id": 263
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\wbem\\gae.*"
}
],
"repeated": 0,
"id": 264
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\gae.*"
}
],
"repeated": 0,
"id": 265
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\OpenSSH\\gae.*"
}
],
"repeated": 0,
"id": 266
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\gae.*"
}
],
"repeated": 0,
"id": 267
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\gae.*"
}
],
"repeated": 0,
"id": 268
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps\\gae.*"
}
],
"repeated": 0,
"id": 269
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0332e8",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xdf\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xdf\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 270
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e033310",
"parentcaller": "0x7ff60e0332a4",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\xdf\\xdf\\x87u\\x00\\x00\\x00\\\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\xf8\\xdf\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 271
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e03338b",
"parentcaller": "0x7ff60e0332a4",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000064"
},
{
"name": "Buffer",
"value": "'gae' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n"
}
],
"repeated": 0,
"id": 272
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e04857e",
"parentcaller": "0x7ff60e03c9c9",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376621000"
},
{
"name": "RegionSize",
"value": "0x00039000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 273
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e03bea1",
"parentcaller": "0x7ff60e03b8d4",
"category": "system",
"api": "FindFixAndRun",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Command",
"value": "hl"
},
{
"name": "Arguments",
"value": "=en"
}
],
"repeated": 0,
"id": 274
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e03c665",
"parentcaller": "0x7ff60e03bea1",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xe3\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\x18\\xe3\\xdf\\x87u\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\xd3\\x01\\x00\\x00 \\xe6\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 275
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376621000"
},
{
"name": "RegionSize",
"value": "0x00039000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 276
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e03cdc4",
"parentcaller": "0x7ff60e040c97",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3733f9000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 277
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\hl.*"
}
],
"repeated": 0,
"id": 278
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\hl.*"
}
],
"repeated": 0,
"id": 279
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\hl.*"
}
],
"repeated": 0,
"id": 280
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\wbem\\hl.*"
}
],
"repeated": 0,
"id": 281
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\hl.*"
}
],
"repeated": 0,
"id": 282
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\OpenSSH\\hl.*"
}
],
"repeated": 0,
"id": 283
},
{
"timestamp": "2026-06-30 23:11:29,341",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\hl.*"
}
],
"repeated": 0,
"id": 284
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\hl.*"
}
],
"repeated": 0,
"id": 285
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps\\hl.*"
}
],
"repeated": 0,
"id": 286
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0332e8",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\xdf\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\xdf\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 287
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e033310",
"parentcaller": "0x7ff60e0332a4",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xdf\\xdf\\x87u\\x00\\x00\\x00\\\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00h\\xdf\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 288
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e03338b",
"parentcaller": "0x7ff60e0332a4",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000064"
},
{
"name": "Buffer",
"value": "'hl' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n"
}
],
"repeated": 0,
"id": 289
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e04857e",
"parentcaller": "0x7ff60e03c9c9",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376621000"
},
{
"name": "RegionSize",
"value": "0x00039000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 290
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e03bea1",
"parentcaller": "0x7ff60e03b8d4",
"category": "system",
"api": "FindFixAndRun",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Command",
"value": "ifkv"
},
{
"name": "Arguments",
"value": "=AcDsRvw1CVsatnVW1CzmzWxQ1V9pF_Jx6qr7YX2pv5dF3ZGMdZRyE_qxOcHoXhFXQ1a1udHRcipYUQ"
}
],
"repeated": 0,
"id": 291
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e03c665",
"parentcaller": "0x7ff60e03bea1",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xe2\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\x88\\xe2\\xdf\\x87u\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\xd3\\x01\\x00\\x00\\x90\\xe5\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 292
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376621000"
},
{
"name": "RegionSize",
"value": "0x00039000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 293
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ifkv.*"
}
],
"repeated": 0,
"id": 294
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\ifkv.*"
}
],
"repeated": 0,
"id": 295
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\ifkv.*"
}
],
"repeated": 0,
"id": 296
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\wbem\\ifkv.*"
}
],
"repeated": 0,
"id": 297
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\ifkv.*"
}
],
"repeated": 0,
"id": 298
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\OpenSSH\\ifkv.*"
}
],
"repeated": 0,
"id": 299
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\ifkv.*"
}
],
"repeated": 0,
"id": 300
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\ifkv.*"
}
],
"repeated": 0,
"id": 301
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps\\ifkv.*"
}
],
"repeated": 0,
"id": 302
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0332e8",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xde\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xde\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 303
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e033310",
"parentcaller": "0x7ff60e0332a4",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xde\\xdf\\x87u\\x00\\x00\\x00\\\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\xd8\\xde\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 304
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e03338b",
"parentcaller": "0x7ff60e0332a4",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000064"
},
{
"name": "Buffer",
"value": "'ifkv' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n"
}
],
"repeated": 0,
"id": 305
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e04857e",
"parentcaller": "0x7ff60e03c9c9",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376621000"
},
{
"name": "RegionSize",
"value": "0x00039000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 306
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e03bea1",
"parentcaller": "0x7ff60e03bef9",
"category": "system",
"api": "FindFixAndRun",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Command",
"value": "TL"
},
{
"name": "Arguments",
"value": "=ADCchmYjO8KuFmMZ51Nd2dCy-QPkK3MUbwYbQkB1CTnKBntpStl5cylS4R6mzDzE\" \""
}
],
"repeated": 0,
"id": 307
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e03c665",
"parentcaller": "0x7ff60e03bea1",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xe2\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\xb8\\xe2\\xdf\\x87u\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\xd3\\x01\\x00\\x00\\xc0\\xe5\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 308
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e049a8c",
"parentcaller": "0x7ff60e049342",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376621000"
},
{
"name": "RegionSize",
"value": "0x00039000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 309
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e03cdc4",
"parentcaller": "0x7ff60e040c97",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d373419000"
},
{
"name": "RegionSize",
"value": "0x00020000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 310
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TL.*"
}
],
"repeated": 0,
"id": 311
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\TL.*"
}
],
"repeated": 0,
"id": 312
},
{
"timestamp": "2026-06-30 23:11:29,356",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\TL.*"
}
],
"repeated": 0,
"id": 313
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\wbem\\TL.*"
}
],
"repeated": 0,
"id": 314
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\TL.*"
}
],
"repeated": 0,
"id": 315
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\OpenSSH\\TL.*"
}
],
"repeated": 0,
"id": 316
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\TL.*"
}
],
"repeated": 0,
"id": 317
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\TL.*"
}
],
"repeated": 0,
"id": 318
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e048287",
"parentcaller": "0x7ff60e042f56",
"category": "filesystem",
"api": "FindFirstFileExW",
"status": false,
"return": "0xffffffffffffffff",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps\\TL.*"
}
],
"repeated": 0,
"id": 319
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0332e8",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xde\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\xde\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 320
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e033310",
"parentcaller": "0x7ff60e0332a4",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdf\\xdf\\x87u\\x00\\x00\\x00\\\\x00\\x00\\x00\\xf8\\x7f\\x00\\x00\\x08\\xdf\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 321
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03338b",
"parentcaller": "0x7ff60e0332a4",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000064"
},
{
"name": "Buffer",
"value": "'TL' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n"
}
],
"repeated": 0,
"id": 322
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e04857e",
"parentcaller": "0x7ff60e03c9c9",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376621000"
},
{
"name": "RegionSize",
"value": "0x00039000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 323
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e0405a5",
"parentcaller": "0x7ff60e03d003",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xd3\\x01\\x00\\x000\\xec\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xd6\\xf3\\x00\\x008\\xec\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 324
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e0405cc",
"parentcaller": "0x7ff60e03d003",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xd3\\x01\\x00\\x00P\\xeb\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00Cd\\x00\\x00X\\xeb\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 325
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e04060c",
"parentcaller": "0x7ff60e03d003",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xd3\\x01\\x00\\x00P\\xeb\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00Cd\\x00\\x00X\\xeb\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 326
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03d00a",
"parentcaller": "0x7ff60e039826",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xeb\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xeb\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 327
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03d02f",
"parentcaller": "0x7ff60e039826",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d37340a000"
},
{
"name": "RegionSize",
"value": "0x0002e000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 328
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03d02f",
"parentcaller": "0x7ff60e039826",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d37340a000"
},
{
"name": "RegionSize",
"value": "0x0002e000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 329
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03d02f",
"parentcaller": "0x7ff60e039826",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe8\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00u\\x00\\x00\\x00\\xc8\\xe8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 330
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03d04b",
"parentcaller": "0x7ff60e039826",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376621000"
},
{
"name": "RegionSize",
"value": "0x00039000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 331
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03d04b",
"parentcaller": "0x7ff60e039826",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d376611000"
},
{
"name": "RegionSize",
"value": "0x00049000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 332
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e042784",
"parentcaller": "0x7ff60e0404ae",
"category": "filesystem",
"api": "NtCreateFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000218"
},
{
"name": "DesiredAccess",
"value": "0x80100080",
"pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "CreateDisposition",
"value": "1",
"pretty_value": "FILE_OPEN"
},
{
"name": "ShareAccess",
"value": "3",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
},
{
"name": "FileAttributes",
"value": "0x00000080",
"pretty_value": "FILE_ATTRIBUTE_NORMAL"
},
{
"name": "ExistedBefore",
"value": "yes"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 333
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e0404da",
"parentcaller": "0x7ff60e03ce8d",
"category": "filesystem",
"api": "NtSetInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000218"
},
{
"name": "HandleName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "\\xbb\\x01\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 334
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03dfd3",
"parentcaller": "0x7ff60e03ceaa",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3733f9000"
},
{
"name": "RegionSize",
"value": "0x0003f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 335
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03dfd3",
"parentcaller": "0x7ff60e03ceaa",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3733f9000"
},
{
"name": "RegionSize",
"value": "0x0003f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 336
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03dfd3",
"parentcaller": "0x7ff60e03ceaa",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3733e9000"
},
{
"name": "RegionSize",
"value": "0x0004f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 337
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03dfd3",
"parentcaller": "0x7ff60e03ceaa",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3733e9000"
},
{
"name": "RegionSize",
"value": "0x0004f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 338
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03dfd3",
"parentcaller": "0x7ff60e03ceaa",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3733d8000"
},
{
"name": "RegionSize",
"value": "0x00060000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 339
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03dfd3",
"parentcaller": "0x7ff60e03ceaa",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3733c7000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 340
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03dfd3",
"parentcaller": "0x7ff60e03ceaa",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3733c7000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 341
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03dfd3",
"parentcaller": "0x7ff60e03ceaa",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3733b7000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 342
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03dfd3",
"parentcaller": "0x7ff60e03ceaa",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3733b7000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 343
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03dfd3",
"parentcaller": "0x7ff60e03ceaa",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3733a7000"
},
{
"name": "RegionSize",
"value": "0x0002f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 344
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e03dfd3",
"parentcaller": "0x7ff60e03ceaa",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d373396000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 345
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e04004c",
"parentcaller": "0x7ff60e03f9b7",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000218"
},
{
"name": "HandleName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "\\xbb\\x01\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 1,
"id": 346
},
{
"timestamp": "2026-06-30 23:11:29,372",
"thread_id": "4076",
"caller": "0x7ff60e040099",
"parentcaller": "0x7ff60e03f9b7",
"category": "filesystem",
"api": "NtReadFile",
"status": false,
"return": "0xffffffffc0000011",
"pretty_return": "END_OF_FILE",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000218"
},
{
"name": "HandleName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "Buffer",
"value": ""
},
{
"name": "Length",
"value": "0"
}
],
"repeated": 0,
"id": 347
},
{
"timestamp": "2026-06-30 23:11:29,388",
"thread_id": "4076",
"caller": "0x7ff60e03fb34",
"parentcaller": "0x7ff60e03f438",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000218"
},
{
"name": "HandleName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "FileInformationClass",
"value": "5",
"pretty_value": "FileStandardInformation"
},
{
"name": "FileInformation",
"value": "\\xc0\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xbb\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 348
},
{
"timestamp": "2026-06-30 23:11:29,388",
"thread_id": "4076",
"caller": "0x7ff60e03fb34",
"parentcaller": "0x7ff60e03f438",
"category": "filesystem",
"api": "NtSetInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000218"
},
{
"name": "HandleName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "\\xbb\\x01\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 349
},
{
"timestamp": "2026-06-30 23:11:29,388",
"thread_id": "4076",
"caller": "0x7ff60e03fc59",
"parentcaller": "0x7ff60e03fb52",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d373396000"
},
{
"name": "RegionSize",
"value": "0x0000f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 350
},
{
"timestamp": "2026-06-30 23:11:29,388",
"thread_id": "4076",
"caller": "0x7ff60e04004c",
"parentcaller": "0x7ff60e03f9b7",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000218"
},
{
"name": "HandleName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "\\xbb\\x01\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 1,
"id": 351
},
{
"timestamp": "2026-06-30 23:11:29,388",
"thread_id": "4076",
"caller": "0x7ff60e040099",
"parentcaller": "0x7ff60e03f9b7",
"category": "filesystem",
"api": "NtReadFile",
"status": false,
"return": "0xffffffffc0000011",
"pretty_return": "END_OF_FILE",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000218"
},
{
"name": "HandleName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "Buffer",
"value": ""
},
{
"name": "Length",
"value": "0"
}
],
"repeated": 0,
"id": 352
},
{
"timestamp": "2026-06-30 23:11:29,388",
"thread_id": "4076",
"caller": "0x7ff60e03fb34",
"parentcaller": "0x7ff60e03f52a",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000218"
},
{
"name": "HandleName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "FileInformationClass",
"value": "5",
"pretty_value": "FileStandardInformation"
},
{
"name": "FileInformation",
"value": "\\xc0\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xbb\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 353
},
{
"timestamp": "2026-06-30 23:11:29,388",
"thread_id": "4076",
"caller": "0x7ff60e03fb34",
"parentcaller": "0x7ff60e03f52a",
"category": "filesystem",
"api": "NtSetInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000218"
},
{
"name": "HandleName",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
},
{
"name": "FileInformationClass",
"value": "14",
"pretty_value": "FilePositionInformation"
},
{
"name": "FileInformation",
"value": "\\xbb\\x01\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 2,
"id": 354
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e03cec6",
"parentcaller": "0x7ff60e039826",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000218"
}
],
"repeated": 0,
"id": 355
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e039887",
"parentcaller": "0x7ff60e045bf0",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3765f1000"
},
{
"name": "RegionSize",
"value": "0x0000e000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 356
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e04857e",
"parentcaller": "0x7ff60e03c9c9",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d3765f1000"
},
{
"name": "RegionSize",
"value": "0x0000e000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 357
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e0405a5",
"parentcaller": "0x7ff60e04398b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00m\r\\x00\\x00\\x00\\xf9\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xf5\\x7f\\x00\\x00\\x08\\xf9\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 358
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e0405cc",
"parentcaller": "0x7ff60e04398b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xd3\\x01\\x00\\x00 \\xf8\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00Cd\\x00\\x00(\\xf8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 359
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e04060c",
"parentcaller": "0x7ff60e04398b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xd3\\x01\\x00\\x00 \\xf8\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00Cd\\x00\\x00(\\xf8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 360
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e043992",
"parentcaller": "0x7ff60e048ecd",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xf8\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00u\\x00\\x00\\x00X\\xf8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 361
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e0439b3",
"parentcaller": "0x7ff60e048ecd",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xf5\\xdf\\x87u\\x00\\x00\\x00\\x08\\x00\\x00\\x00u\\x00\\x00\\x00\\x98\\xf5\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 362
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e040243",
"parentcaller": "0x7ff60e04eb6d",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xd3\\x01\\x00\\x00 \\xf8\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00Cd\\x00\\x00(\\xf8\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 363
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e04890e",
"parentcaller": "0x7ff60e048737",
"category": "process",
"api": "NtOpenProcessToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "DesiredAccess",
"value": "0x00000008"
},
{
"name": "TokenHandle",
"value": "0x00000218"
}
],
"repeated": 0,
"id": 364
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e048a27",
"parentcaller": "0x7ff60e048930",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "18"
},
{
"name": "TokenInformation",
"value": "\\x03\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 365
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e0489bd",
"parentcaller": "0x7ff60e048953",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "26"
},
{
"name": "TokenInformation",
"value": "\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 366
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e048973",
"parentcaller": "0x7ff60e048737",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000218"
}
],
"repeated": 0,
"id": 367
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e03dfd3",
"parentcaller": "0x7ff60e04eba6",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d373386000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 368
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e03dfd3",
"parentcaller": "0x7ff60e04eba6",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d373386000"
},
{
"name": "RegionSize",
"value": "0x0001f000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 369
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e03dfd3",
"parentcaller": "0x7ff60e04eba6",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d373382000"
},
{
"name": "RegionSize",
"value": "0x00023000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 370
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e03dfd3",
"parentcaller": "0x7ff60e04eba6",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d373382000"
},
{
"name": "RegionSize",
"value": "0x00023000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 371
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e03dfd3",
"parentcaller": "0x7ff60e04eba6",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x1d37337d000"
},
{
"name": "RegionSize",
"value": "0x00028000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 372
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xf3\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00x\\xf3\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 373
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e043491",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "\r\n"
}
],
"repeated": 0,
"id": 374
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e0435f4",
"parentcaller": "0x7ff60e0434c9",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xf3\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00u\\x00\\x00\\x00\\xa8\\xf3\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 375
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e043548",
"parentcaller": "0x7ff60e05c6ce",
"category": "system",
"api": "WriteConsoleW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ConsoleHandle",
"value": "0x00000060"
},
{
"name": "Buffer",
"value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp>"
}
],
"repeated": 0,
"id": 376
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e040243",
"parentcaller": "0x7ff60e04d266",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xd3\\x01\\x00\\x00\\xe0\\xf6\\xdf\\x87u\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xf6\\x7f\\x00\\x00\\xe8\\xf6\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 1,
"id": 377
},
{
"timestamp": "2026-06-30 23:11:29,403",
"thread_id": "4076",
"caller": "0x7ff60e057fa5",
"parentcaller": "0x7ff60e04d31b",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000044"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00d\\x00\\x00\\x00\\xd3\\x01\\x00\\x00@\\xf6\\xdf\\x87u\\x00\\x00\\x00\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xf6\\xdf\\x87u\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 378
},
{
"timestamp": "2026-06-30 23:12:28,919",
"thread_id": "3540",
"caller": "0x7ff82d62461e",
"parentcaller": "0x7ff82d6236e8",
"category": "threading",
"api": "NtQueryInformationThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0xfffffffe"
},
{
"name": "ThreadInformationClass",
"value": "12"
},
{
"name": "ThreadInformation",
"value": "\\x00\\x00\\x00\\x00"
},
{
"name": "ThreadId",
"value": "3540"
}
],
"repeated": 0,
"id": 379
},
{
"timestamp": "2026-06-30 23:12:28,919",
"thread_id": "4880",
"caller": "0x7ff82d62463e",
"parentcaller": "0x7ff82d6236e8",
"category": "threading",
"api": "NtTerminateThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000000"
},
{
"name": "ExitStatus",
"value": "0x00000000"
},
{
"name": "ThreadId",
"value": "0"
},
{
"name": "ProcessId",
"value": "0"
}
],
"repeated": 0,
"id": 380
}
],
"threads": [
"4076",
"3440",
"2708",
"2792",
"4044",
"3540",
"4880"
],
"environ": {
"UserName": "Rajesh",
"ComputerName": "DESKTOP-P54VDBR",
"WindowsPath": "C:\\Windows",
"TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\"",
"RegisteredOwner": "",
"RegisteredOrganization": "",
"ProductName": "",
"SystemVolumeSerialNumber": "1c64-b66f",
"SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000",
"MachineGUID": "",
"MainExeBase": "0x7ff60e030000",
"MainExeSize": "0x00067000",
"Bitness": "64-bit"
},
"file_activities": {
"read_files": [],
"write_files": [],
"delete_files": []
}
}
],
"anomaly": [],
"processtree": [
{
"name": "cmd.exe",
"pid": 540,
"parent_id": 2604,
"module_path": "C:\\Windows\\System32\\cmd.exe",
"children": [
{
"name": "cmd.exe",
"pid": 3712,
"parent_id": 540,
"module_path": "C:\\Windows\\System32\\cmd.exe",
"children": [],
"threads": [
"4076",
"3440",
"2708",
"2792",
"4044",
"3540",
"4880"
],
"environ": {
"UserName": "Rajesh",
"ComputerName": "DESKTOP-P54VDBR",
"WindowsPath": "C:\\Windows",
"TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\"",
"RegisteredOwner": "",
"RegisteredOrganization": "",
"ProductName": "",
"SystemVolumeSerialNumber": "1c64-b66f",
"SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000",
"MachineGUID": "",
"MainExeBase": "0x7ff60e030000",
"MainExeSize": "0x00067000",
"Bitness": "64-bit"
}
}
],
"threads": [
"1432",
"3612",
"3768",
"1636",
"4736",
"4852",
"4728"
],
"environ": {
"UserName": "Rajesh",
"ComputerName": "DESKTOP-P54VDBR",
"WindowsPath": "C:\\Windows",
"TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\"",
"RegisteredOwner": "",
"RegisteredOrganization": "",
"ProductName": "",
"SystemVolumeSerialNumber": "1c64-b66f",
"SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000",
"MachineGUID": "",
"MainExeBase": "0x7ff60e030000",
"MainExeSize": "0x00067000",
"Bitness": "64-bit"
}
}
],
"summary": {
"files": [
"C:\\Users\\Rajesh\\AppData\\Local\\Temp",
"C:\\Users",
"C:\\Users\\Rajesh",
"C:\\Users\\Rajesh\\AppData",
"C:\\Users\\Rajesh\\AppData\\Local",
"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat",
"C:\\",
"C:\\Windows\\System32\\cmdext.dll",
"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\dsh.*",
"C:\\Windows\\System32\\dsh.*",
"C:\\Windows\\dsh.*",
"C:\\Windows\\System32\\wbem\\dsh.*",
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\dsh.*",
"C:\\Windows\\System32\\OpenSSH\\dsh.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\dsh.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\dsh.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps\\dsh.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\flowEntry.*",
"C:\\Windows\\System32\\flowEntry.*",
"C:\\Windows\\flowEntry.*",
"C:\\Windows\\System32\\wbem\\flowEntry.*",
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\flowEntry.*",
"C:\\Windows\\System32\\OpenSSH\\flowEntry.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\flowEntry.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\flowEntry.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps\\flowEntry.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\flowName.*",
"C:\\Windows\\System32\\flowName.*",
"C:\\Windows\\flowName.*",
"C:\\Windows\\System32\\wbem\\flowName.*",
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\flowName.*",
"C:\\Windows\\System32\\OpenSSH\\flowName.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\flowName.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\flowName.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps\\flowName.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\gae.*",
"C:\\Windows\\System32\\gae.*",
"C:\\Windows\\gae.*",
"C:\\Windows\\System32\\wbem\\gae.*",
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\gae.*",
"C:\\Windows\\System32\\OpenSSH\\gae.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\gae.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\gae.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps\\gae.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\hl.*",
"C:\\Windows\\System32\\hl.*",
"C:\\Windows\\hl.*",
"C:\\Windows\\System32\\wbem\\hl.*",
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\hl.*",
"C:\\Windows\\System32\\OpenSSH\\hl.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\hl.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\hl.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps\\hl.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ifkv.*",
"C:\\Windows\\System32\\ifkv.*",
"C:\\Windows\\ifkv.*",
"C:\\Windows\\System32\\wbem\\ifkv.*",
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\ifkv.*",
"C:\\Windows\\System32\\OpenSSH\\ifkv.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\ifkv.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\ifkv.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps\\ifkv.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TL.*",
"C:\\Windows\\System32\\TL.*",
"C:\\Windows\\TL.*",
"C:\\Windows\\System32\\wbem\\TL.*",
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\TL.*",
"C:\\Windows\\System32\\OpenSSH\\TL.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\TL.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\TL.*",
"C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps\\TL.*"
],
"read_files": [],
"write_files": [],
"delete_files": [],
"keys": [
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Option"
],
"read_keys": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\AutoRun"
],
"write_keys": [],
"delete_keys": [],
"executed_commands": [
"C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\""
],
"resolved_apis": [],
"mutexes": [],
"created_services": [],
"started_services": []
},
"enhanced": [
{
"event": "load",
"object": "library",
"timestamp": "2026-06-30 23:11:28,649",
"eid": 1,
"data": {
"file": "KERNEL32.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-06-30 23:11:28,649",
"eid": 2,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DisableUNCCheck",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-06-30 23:11:28,649",
"eid": 3,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\EnableExtensions",
"content": "1"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-06-30 23:11:28,649",
"eid": 4,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DelayedExpansion",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-06-30 23:11:28,649",
"eid": 5,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DefaultColor",
"content": "0"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-06-30 23:11:28,649",
"eid": 6,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\CompletionChar",
"content": "9"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-06-30 23:11:28,649",
"eid": 7,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\PathCompletionChar",
"content": "9"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-06-30 23:11:28,649",
"eid": 8,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\AutoRun",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-06-30 23:11:28,665",
"eid": 9,
"data": {
"file": "KERNEL32.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-06-30 23:11:28,712",
"eid": 10,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": "0x7ff82d5d0000"
}
},
{
"event": "execute",
"object": "file",
"timestamp": "2026-06-30 23:11:28,743",
"eid": 11,
"data": {
"file": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\""
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-06-30 23:11:29,200",
"eid": 12,
"data": {
"file": "KERNEL32.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-06-30 23:11:29,200",
"eid": 13,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DisableUNCCheck",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-06-30 23:11:29,200",
"eid": 14,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\EnableExtensions",
"content": "1"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-06-30 23:11:29,200",
"eid": 15,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DelayedExpansion",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-06-30 23:11:29,216",
"eid": 16,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DefaultColor",
"content": "0"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-06-30 23:11:29,216",
"eid": 17,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\CompletionChar",
"content": "9"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-06-30 23:11:29,216",
"eid": 18,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\PathCompletionChar",
"content": "9"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-06-30 23:11:29,216",
"eid": 19,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\AutoRun",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-06-30 23:11:29,231",
"eid": 20,
"data": {
"file": "KERNEL32.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "file",
"timestamp": "2026-06-30 23:11:29,263",
"eid": 21,
"data": {
"file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
}
},
{
"event": "read",
"object": "file",
"timestamp": "2026-06-30 23:11:29,263",
"eid": 22,
"data": {
"file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
}
},
{
"event": "read",
"object": "file",
"timestamp": "2026-06-30 23:11:29,372",
"eid": 23,
"data": {
"file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
}
},
{
"event": "read",
"object": "file",
"timestamp": "2026-06-30 23:11:29,388",
"eid": 24,
"data": {
"file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat"
}
}
],
"encryptedbuffers": [],
"network_map": {
"endpoint_map": {},
"http_host_map": {},
"dns_intents": {},
"http_requests": [],
"winhttp_sessions": [],
"com_activations": []
}
},
"debug": {
"log": "2026-06-30 06:08:42,598 [root] INFO: Date set to: 20260630T16:11:14, timeout set to: 150\n2026-06-30 16:11:14,082 [root] DEBUG: Starting analyzer from: C:\\1quxgwlh\n2026-06-30 16:11:14,084 [root] DEBUG: Storing results at: C:\\ybKuGCDHA\n2026-06-30 16:11:14,085 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\mymFpBV\n2026-06-30 16:11:14,085 [root] DEBUG: Python path: C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\n2026-06-30 16:11:14,086 [root] INFO: analysis running as an admin\n2026-06-30 16:11:14,086 [root] DEBUG: no analysis package configured, picking one for you\n2026-06-30 16:11:14,087 [root] INFO: analysis package selected: \"batch\"\n2026-06-30 16:11:14,087 [root] DEBUG: importing analysis package module: \"modules.packages.batch\"...\n2026-06-30 16:11:14,095 [root] DEBUG: imported analysis package \"batch\"\n2026-06-30 16:11:14,095 [root] DEBUG: initializing analysis package \"batch\"...\n2026-06-30 16:11:14,096 [lib.common.common] INFO: no wrapping\n2026-06-30 16:11:14,096 [lib.core.compound] INFO: C:\\Users\\Rajesh\\AppData\\Local\\Temp already exists, skipping creation\n2026-06-30 16:11:14,097 [root] DEBUG: New location of moved file: C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\n2026-06-30 16:11:14,097 [root] INFO: Analyzer: Package modules.packages.batch does not specify a dll option\n2026-06-30 16:11:14,097 [root] INFO: Analyzer: Package modules.packages.batch does not specify a dll_64 option\n2026-06-30 16:11:14,097 [root] INFO: Analyzer: Package modules.packages.batch does not specify a loader option\n2026-06-30 16:11:14,097 [root] INFO: Analyzer: Package modules.packages.batch does not specify a loader_64 option\n2026-06-30 16:11:14,203 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2026-06-30 16:11:14,222 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2026-06-30 16:11:14,603 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2026-06-30 16:11:15,908 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2026-06-30 16:11:15,912 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2026-06-30 16:11:15,913 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2026-06-30 16:11:15,914 [root] DEBUG: attempting to configure 'Browser' from data\n2026-06-30 16:11:15,916 [root] DEBUG: module Browser does not support data configuration, ignoring\n2026-06-30 16:11:15,916 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2026-06-30 16:11:15,968 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2026-06-30 16:11:15,968 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2026-06-30 16:11:15,969 [root] DEBUG: attempting to configure 'DigiSig' from data\n2026-06-30 16:11:15,970 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2026-06-30 16:11:15,970 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2026-06-30 16:11:15,970 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2026-06-30 16:11:16,504 [modules.auxiliary.digisig] DEBUG: File has an invalid signature\n2026-06-30 16:11:16,505 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2026-06-30 16:11:16,506 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2026-06-30 16:11:16,506 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2026-06-30 16:11:16,506 [root] DEBUG: attempting to configure 'Disguise' from data\n2026-06-30 16:11:16,507 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2026-06-30 16:11:16,507 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2026-06-30 16:11:16,512 [modules.auxiliary.disguise] INFO: Launched background process notepad.exe hidden (PID: 2728)\n2026-06-30 16:11:16,518 [modules.auxiliary.disguise] INFO: Disguising GUID to 3e02f164-72bf-4b30-b527-684cb02b52d5\n2026-06-30 16:11:16,519 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2026-06-30 16:11:16,519 [root] DEBUG: Initialized auxiliary module \"Human\"\n2026-06-30 16:11:16,519 [root] DEBUG: attempting to configure 'Human' from data\n2026-06-30 16:11:16,520 [root] DEBUG: module Human does not support data configuration, ignoring\n2026-06-30 16:11:16,520 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2026-06-30 16:11:16,530 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2026-06-30 16:11:16,531 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2026-06-30 16:11:16,531 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2026-06-30 16:11:16,533 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2026-06-30 16:11:16,539 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2026-06-30 16:11:16,624 [modules.auxiliary.tlsdump] WARNING: Unable to find lsass.exe process\n2026-06-30 16:11:16,625 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2026-06-30 16:11:23,526 [root] INFO: Restarting WMI Service\n2026-06-30 16:11:25,697 [root] DEBUG: package modules.packages.batch does not support configure, ignoring\n2026-06-30 16:11:25,702 [root] WARNING: configuration error for package modules.packages.batch: error importing data.packages.batch: No module named 'data.packages'\n2026-06-30 16:11:25,704 [lib.core.compound] INFO: C:\\Users\\Rajesh\\AppData\\Local\\Temp already exists, skipping creation\n2026-06-30 16:11:25,710 [lib.api.process] INFO: Successfully executed process from path \"C:\\Windows\\system32\\cmd.exe\" with arguments \"/c start /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\"\" with pid 540\n2026-06-30 16:11:26,057 [lib.api.process] INFO: Monitor config for process 540: C:\\1quxgwlh\\dll\\540.ini\n2026-06-30 16:11:26,117 [lib.api.process] INFO: 64-bit DLL to inject is C:\\1quxgwlh\\dll\\DcRWkaHN.dll, loader C:\\1quxgwlh\\bin\\mKZTghWt.exe\n2026-06-30 16:11:26,144 [root] DEBUG: Loader: Injecting process 540 (thread 1432) with C:\\1quxgwlh\\dll\\DcRWkaHN.dll.\n2026-06-30 16:11:26,146 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-30 16:11:26,147 [root] DEBUG: Successfully injected DLL C:\\1quxgwlh\\dll\\DcRWkaHN.dll.\n2026-06-30 16:11:26,151 [lib.api.process] INFO: Injected into 64-bit \n2026-06-30 16:11:28,159 [lib.api.process] INFO: Successfully resumed process with pid 540\n2026-06-30 16:11:28,372 [root] DEBUG: 540: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-30 16:11:28,376 [root] DEBUG: 540: Disabling sleep skipping.\n2026-06-30 16:11:28,378 [root] DEBUG: 540: Dropped file limit defaulting to 100.\n2026-06-30 16:11:28,403 [root] DEBUG: 540: YaraInit: Compiled 44 rule files\n2026-06-30 16:11:28,407 [root] DEBUG: 540: YaraInit: Compiled rules saved to file C:\\1quxgwlh\\data\\yara\\capemon.yac\n2026-06-30 16:11:28,496 [root] DEBUG: 540: RtlInsertInvertedFunctionTable 0x00007FF82D5E090E, LdrpInvertedFunctionTableSRWLock 0x00007FF82D73B4F0\n2026-06-30 16:11:28,498 [root] DEBUG: 540: YaraScan: Scanning 0x00007FF60E030000, size 0x6630a\n2026-06-30 16:11:28,505 [root] DEBUG: 540: YaraScan hit: FindFixAndRun\n2026-06-30 16:11:28,506 [root] DEBUG: 540: Monitor initialised: 64-bit capemon loaded in process 540 at 0x00007FF801740000, thread 1432, image base 0x00007FF60E030000, stack from 0x000000EDAD4D4000-0x000000EDAD5D0000\n2026-06-30 16:11:28,507 [root] DEBUG: 540: Commandline: \"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\"\n2026-06-30 16:11:28,525 [root] DEBUG: 540: hook_api: LdrpCallInitRoutine export address 0x00007FF82D5E99BC obtained via GetFunctionAddress\n2026-06-30 16:11:28,585 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'\n2026-06-30 16:11:28,586 [root] DEBUG: 540: set_hooks: Unable to hook LockResource\n2026-06-30 16:11:28,606 [root] DEBUG: 540: Hooked 630 out of 631 functions\n2026-06-30 16:11:28,614 [root] DEBUG: 540: set_hooks_exe: Hooked FindFixAndRun at 0x00007FF60E03C620\n2026-06-30 16:11:28,617 [root] DEBUG: 540: Syscall hook installed, syscall logging level 1\n2026-06-30 16:11:28,639 [root] DEBUG: 540: RestoreHeaders: Restored original import table.\n2026-06-30 16:11:28,640 [root] INFO: Loaded monitor into process with pid 540\n2026-06-30 16:11:28,645 [root] DEBUG: 540: caller_dispatch: Added region at 0x00007FF60E030000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF60E0493C1, thread 1432).\n2026-06-30 16:11:28,647 [root] DEBUG: 540: YaraScan: Scanning 0x00007FF60E030000, size 0x6630a\n2026-06-30 16:11:28,656 [root] DEBUG: 540: ProcessImageBase: Main module image at 0x00007FF60E030000 unmodified (entropy change 0.000000e+00)\n2026-06-30 16:11:28,682 [root] DEBUG: 540: DLL loaded at 0x00007FF82A670000: C:\\Windows\\system32\\Wldp (0x2c000 bytes).\n2026-06-30 16:11:28,684 [root] DEBUG: 540: DLL loaded at 0x00007FF828E10000: C:\\Windows\\SYSTEM32\\windows.storage (0x790000 bytes).\n2026-06-30 16:11:28,689 [root] DEBUG: 540: DLL loaded at 0x00007FF82C9E0000: C:\\Windows\\System32\\SHCORE (0xad000 bytes).\n2026-06-30 16:11:28,693 [root] DEBUG: 540: CreateProcessHandler: Injection info set for new process 3712: C:\\Windows\\system32\\cmd.exe, ImageBase: 0x00007FF60E030000\n2026-06-30 16:11:28,695 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3712\n2026-06-30 16:11:28,696 [lib.api.process] INFO: Monitor config for process 3712: C:\\1quxgwlh\\dll\\3712.ini\n2026-06-30 16:11:28,706 [lib.api.process] INFO: 64-bit DLL to inject is C:\\1quxgwlh\\dll\\DcRWkaHN.dll, loader C:\\1quxgwlh\\bin\\mKZTghWt.exe\n2026-06-30 16:11:28,720 [root] DEBUG: Loader: Injecting process 3712 (thread 4076) with C:\\1quxgwlh\\dll\\DcRWkaHN.dll.\n2026-06-30 16:11:28,721 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-30 16:11:28,722 [root] DEBUG: Successfully injected DLL C:\\1quxgwlh\\dll\\DcRWkaHN.dll.\n2026-06-30 16:11:28,725 [lib.api.process] INFO: Injected into 64-bit \n2026-06-30 16:11:28,728 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3712\n2026-06-30 16:11:28,728 [lib.api.process] INFO: Monitor config for process 3712: C:\\1quxgwlh\\dll\\3712.ini\n2026-06-30 16:11:28,730 [lib.api.process] INFO: 64-bit DLL to inject is C:\\1quxgwlh\\dll\\DcRWkaHN.dll, loader C:\\1quxgwlh\\bin\\mKZTghWt.exe\n2026-06-30 16:11:28,742 [root] DEBUG: Loader: Injecting process 3712 (thread 4076) with C:\\1quxgwlh\\dll\\DcRWkaHN.dll.\n2026-06-30 16:11:28,744 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-30 16:11:28,745 [root] DEBUG: Successfully injected DLL C:\\1quxgwlh\\dll\\DcRWkaHN.dll.\n2026-06-30 16:11:28,748 [lib.api.process] INFO: Injected into 64-bit \n2026-06-30 16:11:28,938 [root] DEBUG: 3712: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-30 16:11:28,940 [root] DEBUG: 3712: Dropped file limit defaulting to 100.\n2026-06-30 16:11:28,945 [root] DEBUG: 3712: Disabling sleep skipping.\n2026-06-30 16:11:28,956 [root] DEBUG: 3712: YaraInit: Compiled rules loaded from existing file C:\\1quxgwlh\\data\\yara\\capemon.yac\n2026-06-30 16:11:28,977 [root] DEBUG: 3712: RtlInsertInvertedFunctionTable 0x00007FF82D5E090E, LdrpInvertedFunctionTableSRWLock 0x00007FF82D73B4F0\n2026-06-30 16:11:28,979 [root] DEBUG: 3712: YaraScan: Scanning 0x00007FF60E030000, size 0x6630a\n2026-06-30 16:11:28,990 [root] DEBUG: 3712: YaraScan hit: FindFixAndRun\n2026-06-30 16:11:28,991 [root] DEBUG: 3712: Monitor initialised: 64-bit capemon loaded in process 3712 at 0x00007FF801740000, thread 4076, image base 0x00007FF60E030000, stack from 0x0000007587D04000-0x0000007587E00000\n2026-06-30 16:11:28,993 [root] DEBUG: 3712: Commandline: C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\"\n2026-06-30 16:11:29,051 [root] DEBUG: 3712: hook_api: LdrpCallInitRoutine export address 0x00007FF82D5E99BC obtained via GetFunctionAddress\n2026-06-30 16:11:29,118 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'\n2026-06-30 16:11:29,119 [root] DEBUG: 3712: set_hooks: Unable to hook LockResource\n2026-06-30 16:11:29,136 [root] DEBUG: 3712: Hooked 630 out of 631 functions\n2026-06-30 16:11:29,153 [root] DEBUG: 3712: set_hooks_exe: Hooked FindFixAndRun at 0x00007FF60E03C620\n2026-06-30 16:11:29,156 [root] DEBUG: 3712: Syscall hook installed, syscall logging level 1\n2026-06-30 16:11:29,172 [root] DEBUG: 3712: RestoreHeaders: Restored original import table.\n2026-06-30 16:11:29,174 [root] INFO: Loaded monitor into process with pid 3712\n2026-06-30 16:11:29,178 [root] DEBUG: 3712: caller_dispatch: Added region at 0x00007FF60E030000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF60E0493C1, thread 4076).\n2026-06-30 16:11:29,179 [root] DEBUG: 3712: YaraScan: Scanning 0x00007FF60E030000, size 0x6630a\n2026-06-30 16:11:29,199 [root] DEBUG: 3712: ProcessImageBase: Main module image at 0x00007FF60E030000 unmodified (entropy change 0.000000e+00)\n2026-06-30 16:11:29,262 [root] DEBUG: 3712: DLL loaded at 0x00007FF8247A0000: C:\\Windows\\SYSTEM32\\cmdext (0xc000 bytes).\n2026-06-30 16:13:58,693 [root] INFO: Analysis timeout hit, terminating analysis\n2026-06-30 16:13:58,696 [lib.api.process] INFO: Terminate event set for process 540\n2026-06-30 16:13:58,699 [root] DEBUG: 540: Terminate Event: Attempting to dump process 540\n2026-06-30 16:13:58,704 [root] DEBUG: 540: VerifyCodeSection: Executable code does not match, 0xb620 of 0x30ef9 matching\n2026-06-30 16:13:58,705 [root] DEBUG: 540: DoProcessDump: Code modification detected, dumping Imagebase at 0x00007FF60E030000.\n2026-06-30 16:13:58,706 [root] DEBUG: 540: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-06-30 16:13:58,707 [root] DEBUG: 540: DumpProcess: Instantiating PeParser with address: 0x00007FF60E030000.\n2026-06-30 16:13:58,709 [root] DEBUG: 540: DumpProcess: Module entry point VA is 0x00007FF60E048F50.\n2026-06-30 16:13:58,738 [lib.common.results] INFO: Uploading file C:\\ybKuGCDHA\\CAPE\\540_2902858132330262026 to procdump\\31aefc078054212033b91771ef3f0278cf9dfc7b96bb677b3cd64ff4940aaaf3; Size is 401920; Max size: 100000000\n2026-06-30 16:13:58,774 [root] DEBUG: 540: DumpProcess: Module image dump success - dump size 0x62200.\n2026-06-30 16:13:58,789 [root] DEBUG: 540: Terminate Event: Shutdown complete for process 540 but failed to inform analyzer.\n2026-06-30 16:14:03,705 [lib.api.process] INFO: Termination confirmed for process 540\n2026-06-30 16:14:03,706 [root] INFO: Terminate event set for process 540\n2026-06-30 16:14:03,706 [lib.api.process] INFO: Terminate event set for process 3712\n2026-06-30 16:14:03,709 [root] DEBUG: 3712: Terminate Event: Attempting to dump process 3712\n2026-06-30 16:14:03,711 [root] DEBUG: 3712: VerifyCodeSection: Executable code does not match, 0xb620 of 0x30ef9 matching\n2026-06-30 16:14:03,712 [root] DEBUG: 3712: DoProcessDump: Code modification detected, dumping Imagebase at 0x00007FF60E030000.\n2026-06-30 16:14:03,714 [root] DEBUG: 3712: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-06-30 16:14:03,715 [root] DEBUG: 3712: DumpProcess: Instantiating PeParser with address: 0x00007FF60E030000.\n2026-06-30 16:14:03,716 [root] DEBUG: 3712: DumpProcess: Module entry point VA is 0x00007FF60E048F50.\n2026-06-30 16:14:03,727 [lib.common.results] INFO: Uploading file C:\\ybKuGCDHA\\CAPE\\3712_295613142330262026 to procdump\\c1f45c0a3f5ca544584ee7c67ac1c6836867e503969d246fee58443e574a9acc; Size is 403456; Max size: 100000000\n2026-06-30 16:14:03,759 [root] DEBUG: 3712: DumpProcess: Module image dump success - dump size 0x62800.\n2026-06-30 16:14:03,772 [lib.api.process] INFO: Termination confirmed for process 3712\n2026-06-30 16:14:03,773 [root] INFO: Terminate event set for process 3712\n2026-06-30 16:14:03,773 [root] INFO: Created shutdown mutex\n2026-06-30 16:14:03,773 [root] DEBUG: 3712: Terminate Event: monitor shutdown complete for process 3712\n2026-06-30 16:14:04,782 [root] INFO: Shutting down package\n2026-06-30 16:14:04,784 [root] INFO: Stopping auxiliary modules\n2026-06-30 16:14:04,784 [root] INFO: Stopping auxiliary module: Browser\n2026-06-30 16:14:04,784 [root] INFO: Stopping auxiliary module: Human\n2026-06-30 16:14:08,914 [root] INFO: Finishing auxiliary modules\n2026-06-30 16:14:08,916 [root] INFO: Shutting down pipe server and dumping dropped files\n2026-06-30 16:14:08,916 [root] WARNING: Folder at path \"C:\\ybKuGCDHA\\debugger\" does not exist, skipping\n2026-06-30 16:14:08,917 [root] WARNING: Folder at path \"C:\\ybKuGCDHA\\tlsdump\" does not exist, skipping\n2026-06-30 16:14:08,918 [root] INFO: Analysis completed\n",
"errors": []
},
"network": {
"pcap_sha256": "7391447c81aea8951e58e3a0ef3058f641858386f96a73179e0c6e570ee353c3",
"hosts": [
{
"ip": "64.233.166.94",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
80
]
},
{
"ip": "172.66.2.5",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
80
]
},
{
"ip": "104.18.22.215",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
}
],
"domains": [],
"tcp": [
{
"src": "192.168.122.5",
"sport": 49793,
"dst": "20.190.159.131",
"dport": 443,
"offset": 5320,
"time": 0.05489397048950195
},
{
"src": "192.168.122.5",
"sport": 49790,
"dst": "104.18.22.215",
"dport": 443,
"offset": 45869,
"time": 1.8270061016082764
},
{
"src": "192.168.122.5",
"sport": 49797,
"dst": "74.125.206.113",
"dport": 443,
"offset": 53034,
"time": 43.356659173965454
},
{
"src": "192.168.122.5",
"sport": 49800,
"dst": "64.233.166.94",
"dport": 80,
"offset": 58559,
"time": 60.24869108200073
},
{
"src": "142.250.110.95",
"sport": 443,
"dst": "192.168.122.5",
"dport": 49800,
"offset": 355481,
"time": 144.8714201450348
}
],
"udp": [
{
"src": "192.168.122.5",
"sport": 63455,
"dst": "192.168.122.1",
"dport": 53,
"offset": 24,
"time": 0.0
},
{
"src": "192.168.122.5",
"sport": 63456,
"dst": "239.255.255.250",
"dport": 1900,
"offset": 46430,
"time": 33.31225895881653
},
{
"src": "192.168.122.5",
"sport": 50178,
"dst": "192.168.122.1",
"dport": 53,
"offset": 47428,
"time": 42.33796715736389
},
{
"src": "192.168.122.5",
"sport": 5353,
"dst": "224.0.0.251",
"dport": 5353,
"offset": 47830,
"time": 42.3412401676178
},
{
"src": "192.168.122.5",
"sport": 53089,
"dst": "224.0.0.252",
"dport": 5355,
"offset": 47916,
"time": 42.342973947525024
},
{
"src": "192.168.122.5",
"sport": 62396,
"dst": "192.168.122.1",
"dport": 53,
"offset": 54942,
"time": 60.14438796043396
},
{
"src": "192.168.122.5",
"sport": 51201,
"dst": "192.168.122.1",
"dport": 53,
"offset": 59826,
"time": 87.44724917411804
},
{
"src": "192.168.122.5",
"sport": 62476,
"dst": "224.0.0.252",
"dport": 5355,
"offset": 60216,
"time": 87.45090794563293
},
{
"src": "192.168.122.5",
"sport": 62477,
"dst": "239.255.255.250",
"dport": 1900,
"offset": 355694,
"time": 153.31605696678162
}
],
"icmp": [],
"http": [
{
"count": 1,
"host": "c.pki.goog",
"port": 80,
"data": "GET /r/gsr1.crl HTTP/1.1\r\nCache-Control: max-age = 3000\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 07 Apr 2026 02:18:00 GMT\r\nUser-Agent: Microsoft-CryptoAPI/10.0\r\nHost: c.pki.goog\r\n\r\n",
"uri": "http://c.pki.goog/r/gsr1.crl",
"body": "",
"path": "/r/gsr1.crl",
"user-agent": "Microsoft-CryptoAPI/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1782835940.483932
},
{
"count": 1,
"host": "c.pki.goog",
"port": 80,
"data": "GET /r/r4.crl HTTP/1.1\r\nCache-Control: max-age = 3000\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Wed, 11 Feb 2026 14:38:00 GMT\r\nUser-Agent: Microsoft-CryptoAPI/10.0\r\nHost: c.pki.goog\r\n\r\n",
"uri": "http://c.pki.goog/r/r4.crl",
"body": "",
"path": "/r/r4.crl",
"user-agent": "Microsoft-CryptoAPI/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1782835940.497935
}
],
"dns": [],
"smtp": [],
"irc": [],
"dead_hosts": [
[
"172.66.2.5",
80
]
]
},
"url_analysis": {},
"procmemory": [],
"signatures": [
{
"name": "stealth_network",
"description": "Network activity detected but not expressed in monitor API logs",
"categories": [
"stealth"
],
"severity": 1,
"weight": 1,
"confidence": 100,
"references": [],
"data": [
{
"ip": "64.233.166.94"
},
{
"ip": "172.66.2.5"
},
{
"ip": "104.18.22.215"
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "queries_locale_api",
"description": "Queries the computer locale (possible geofencing)",
"categories": [
"location_discovery",
"geofence"
],
"severity": 1,
"weight": 1,
"confidence": 100,
"references": [],
"data": [
{
"type": "call",
"pid": 540,
"cid": 61
},
{
"type": "call",
"pid": 3712,
"cid": 66
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "antidebug_setunhandledexceptionfilter",
"description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
"categories": [
"anti-debug"
],
"severity": 1,
"weight": 1,
"confidence": 40,
"references": [],
"data": [
{
"type": "call",
"pid": 540,
"cid": 14
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "cmdline_terminate",
"description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
"categories": [
"command"
],
"severity": 1,
"weight": 1,
"confidence": 100,
"references": [],
"data": [
{
"command": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\""
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "privilege_elevation_check",
"description": "Queries process token information to check for Administrator privileges or UAC elevation status",
"categories": [
"discovery",
"privilege_escalation"
],
"severity": 2,
"weight": 1,
"confidence": 80,
"references": [],
"data": [
{
"type": "call",
"pid": 3712,
"cid": 365
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "network_http",
"description": "Performs some HTTP requests",
"categories": [
"network"
],
"severity": 2,
"weight": 1,
"confidence": 30,
"references": [],
"data": [
{
"url": "http://c.pki.goog/r/gsr1.crl"
},
{
"url": "http://c.pki.goog/r/r4.crl"
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "uses_windows_utilities",
"description": "Uses Windows utilities for basic functionality",
"categories": [
"command",
"lateral"
],
"severity": 2,
"weight": 1,
"confidence": 80,
"references": [],
"data": [
{
"command": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\testt.bat\""
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "hardware_id_profiling",
"description": "Queries the Volume Serial Number or Physical Hardware ID, possibly for anti-sandbox, victim profiling or environmental keying",
"categories": [
"evasion",
"recon",
"anti-sandbox"
],
"severity": 3,
"weight": 1,
"confidence": 80,
"references": [],
"data": [
{
"type": "call",
"pid": 3712,
"cid": 84
}
],
"new_data": [],
"alert": false,
"families": []
}
],
"malscore": 5.199999999999999,
"ttps": [
{
"signature": "stealth_network",
"ttps": [
"T1071"
],
"mbcs": [
"OC0006",
"C0002",
"OC0006",
"C0002",
"OC0006",
"C0002",
"OC0006",
"C0002",
"OC0006",
"C0002"
]
},
{
"signature": "hardware_id_profiling",
"ttps": [
"T1082"
],
"mbcs": [
"E1082",
"E1480.001"
]
},
{
"signature": "privilege_elevation_check",
"ttps": [
"T1033",
"T1082"
],
"mbcs": [
"OC0006",
"C0002",
"OC0006",
"C0002",
"OC0006",
"C0002",
"OC0006",
"C0002",
"OC0006",
"C0002"
]
},
{
"signature": "network_http",
"ttps": [
"T1071"
],
"mbcs": [
"OC0006",
"C0002"
]
},
{
"signature": "cmdline_terminate",
"ttps": [
"T1059"
],
"mbcs": [
"OB0009",
"E1059"
]
},
{
"signature": "uses_windows_utilities",
"ttps": [
"T1202"
],
"mbcs": [
"OB0009",
"E1203.m06"
]
}
],
"malstatus": null
}