{
"statistics": {
"processing": [
{
"name": "CAPE",
"time": 22.571
},
{
"name": "AnalysisInfo",
"time": 0.061
},
{
"name": "BehaviorAnalysis",
"time": 0.017
},
{
"name": "Debug",
"time": 0.002
},
{
"name": "NetworkAnalysis",
"time": 11.457
},
{
"name": "Suricata",
"time": 6.299
},
{
"name": "UrlAnalysis",
"time": 0.0
},
{
"name": "script_log_processing",
"time": 0.0
},
{
"name": "ProcessMemory",
"time": 0.0
}
],
"signatures": [
{
"name": "packer_themida",
"time": 0.0
},
{
"name": "stealth_network",
"time": 0.0
},
{
"name": "disable_driver_via_blocklist",
"time": 0.0
},
{
"name": "disable_driver_via_hvcidisallowedimages",
"time": 0.0
},
{
"name": "disable_hypervisor_protected_code_integrity",
"time": 0.0
},
{
"name": "pendingfilerenameoperations_Operations",
"time": 0.0
},
{
"name": "anomalous_deletefile",
"time": 0.0
},
{
"name": "antiav_360_libs",
"time": 0.0
},
{
"name": "antiav_ahnlab_libs",
"time": 0.0
},
{
"name": "antiav_avast_libs",
"time": 0.0
},
{
"name": "antiav_bitdefender_libs",
"time": 0.0
},
{
"name": "antiav_bullguard_libs",
"time": 0.0
},
{
"name": "antiav_emsisoft_libs",
"time": 0.0
},
{
"name": "antiav_qurb_libs",
"time": 0.0
},
{
"name": "antiav_servicestop",
"time": 0.0
},
{
"name": "antiav_apioverride_libs",
"time": 0.0
},
{
"name": "antidebug_guardpages",
"time": 0.0
},
{
"name": "antiav_nthookengine_libs",
"time": 0.0
},
{
"name": "antidebug_outputdebugstring",
"time": 0.0
},
{
"name": "antidebug_windows",
"time": 0.0
},
{
"name": "antisandbox_cuckoo",
"time": 0.0
},
{
"name": "antisandbox_cuckoocrash",
"time": 0.0
},
{
"name": "antisandbox_foregroundwindows",
"time": 0.0
},
{
"name": "mouse_movement_detect",
"time": 0.0
},
{
"name": "antisandbox_sboxie_libs",
"time": 0.0
},
{
"name": "antisandbox_script_timer",
"time": 0.0
},
{
"name": "antisandbox_sleep",
"time": 0.0
},
{
"name": "antisandbox_sunbelt_libs",
"time": 0.0
},
{
"name": "antisandbox_unhook",
"time": 0.0
},
{
"name": "antivm_directory_objects",
"time": 0.0
},
{
"name": "antivm_display",
"time": 0.0
},
{
"name": "antivm_generic_disk",
"time": 0.0
},
{
"name": "antivm_generic_system",
"time": 0.0
},
{
"name": "antivm_checks_available_memory",
"time": 0.0
},
{
"name": "detect_virtualization_via_recent_files",
"time": 0.0
},
{
"name": "antivm_vbox_libs",
"time": 0.0
},
{
"name": "antivm_vmware_events",
"time": 0.0
},
{
"name": "antivm_vmware_libs",
"time": 0.0
},
{
"name": "antivm_wmi",
"time": 0.0
},
{
"name": "api_spamming",
"time": 0.0
},
{
"name": "api_uuidfromstringa",
"time": 0.0
},
{
"name": "bcdedit_command",
"time": 0.0
},
{
"name": "bootkit",
"time": 0.0
},
{
"name": "direct_hdd_access",
"time": 0.0
},
{
"name": "physical_drive_access",
"time": 0.0
},
{
"name": "potential_overwrite_mbr",
"time": 0.0
},
{
"name": "read_file_raw_disk_access",
"time": 0.0
},
{
"name": "suspicious_iocontrol_codes",
"time": 0.0
},
{
"name": "browser_needed",
"time": 0.0
},
{
"name": "regsvr32_squiblydoo_dll_load",
"time": 0.0
},
{
"name": "uac_bypass_cmstp",
"time": 0.0
},
{
"name": "uac_bypass_eventvwr",
"time": 0.0
},
{
"name": "uac_bypass_windows_Backup",
"time": 0.0
},
{
"name": "dotnet_code_compile",
"time": 0.0
},
{
"name": "queries_computer_name",
"time": 0.0
},
{
"name": "queries_user_name",
"time": 0.0
},
{
"name": "creates_largekey",
"time": 0.0
},
{
"name": "creates_nullvalue",
"time": 0.0
},
{
"name": "access_windows_passwords_vault",
"time": 0.0
},
{
"name": "lsass_credential_dumping",
"time": 0.0
},
{
"name": "critical_process",
"time": 0.0
},
{
"name": "cryptopool_domains",
"time": 0.0
},
{
"name": "dead_connect",
"time": 0.0
},
{
"name": "dead_link",
"time": 0.0
},
{
"name": "decoy_document",
"time": 0.0
},
{
"name": "decoy_image",
"time": 0.0
},
{
"name": "deletes_consolehost_history",
"time": 0.0
},
{
"name": "dep_bypass",
"time": 0.0
},
{
"name": "dep_disable",
"time": 0.0
},
{
"name": "disables_wfp",
"time": 0.0
},
{
"name": "add_windows_defender_exclusions",
"time": 0.0
},
{
"name": "mountpoints_volume_discovery",
"time": 0.0
},
{
"name": "dll_load_uncommon_file_types",
"time": 0.0
},
{
"name": "document_script_exe_drop",
"time": 0.0
},
{
"name": "guloader_apis",
"time": 0.0
},
{
"name": "driver_load",
"time": 0.0
},
{
"name": "dynamic_function_loading",
"time": 0.0
},
{
"name": "encrypted_ioc",
"time": 0.0
},
{
"name": "exec_crash",
"time": 0.0
},
{
"name": "process_creation_suspicious_location",
"time": 0.0
},
{
"name": "exploit_getbasekerneladdress",
"time": 0.0
},
{
"name": "exploit_gethaldispatchtable",
"time": 0.0
},
{
"name": "exploit_heapspray",
"time": 0.0
},
{
"name": "koadic_apis",
"time": 0.0
},
{
"name": "koadic_network_activity",
"time": 0.0
},
{
"name": "downloads_from_filehosting",
"time": 0.0
},
{
"name": "generic_phish",
"time": 0.0
},
{
"name": "http_request",
"time": 0.0
},
{
"name": "infostealer_browser",
"time": 0.0
},
{
"name": "infostealer_browser_password",
"time": 0.0
},
{
"name": "infostealer_cookies",
"time": 0.0
},
{
"name": "cryptbot_network",
"time": 0.0
},
{
"name": "purplewave_network_activity",
"time": 0.0
},
{
"name": "quilclipper_behavior",
"time": 0.0
},
{
"name": "raccoon_behavior",
"time": 0.0
},
{
"name": "captures_screenshot",
"time": 0.0
},
{
"name": "vidar_behavior",
"time": 0.0
},
{
"name": "injection_createremotethread",
"time": 0.0
},
{
"name": "creates_suspended_process",
"time": 0.0
},
{
"name": "injection_explorer",
"time": 0.0
},
{
"name": "injection_network_traffic",
"time": 0.0
},
{
"name": "injection_runpe",
"time": 0.0
},
{
"name": "injection_rwx",
"time": 0.0
},
{
"name": "injection_themeinitapihook",
"time": 0.0
},
{
"name": "resumethread_remote_process",
"time": 0.0
},
{
"name": "injection_write_exe_process",
"time": 0.0
},
{
"name": "injection_write_process",
"time": 0.0
},
{
"name": "internet_dropper",
"time": 0.0
},
{
"name": "escalate_privilege_via_named_pipe",
"time": 0.0
},
{
"name": "ipc_namedpipe",
"time": 0.0
},
{
"name": "js_phish",
"time": 0.0
},
{
"name": "js_suspicious_redirect",
"time": 0.0
},
{
"name": "loader_alien",
"time": 0.0
},
{
"name": "execute_binary_via_internet_explorer_exporter",
"time": 0.0
},
{
"name": "execute_binary_via_run_exe_helper_utility",
"time": 0.0
},
{
"name": "execute_ps_via_syncappvpublishingserver",
"time": 0.0
},
{
"name": "malicious_dynamic_function_loading",
"time": 0.0
},
{
"name": "encrypt_pcinfo",
"time": 0.0
},
{
"name": "encrypt_data_agenttesla_http",
"time": 0.0
},
{
"name": "encrypt_data_agentteslat2_http",
"time": 0.0
},
{
"name": "encrypt_data_nanocore",
"time": 0.0
},
{
"name": "reads_memory_remote_process",
"time": 0.0
},
{
"name": "mimics_filetime",
"time": 0.0
},
{
"name": "amsi_bypass_via_com_registry",
"time": 0.0
},
{
"name": "access_auto_logons_via_registry",
"time": 0.0
},
{
"name": "access_boot_key_via_registry",
"time": 0.0
},
{
"name": "create_suspicious_lnk_files",
"time": 0.0
},
{
"name": "credential_access_via_windows_credential_history",
"time": 0.0
},
{
"name": "dll_hijacking_via_microsoft_exchange",
"time": 0.0
},
{
"name": "dll_hijacking_via_waas_medic_svc_com_typelib",
"time": 0.0
},
{
"name": "execute_file_downloaded_via_openssh",
"time": 0.0
},
{
"name": "execute_safe_mode_from_suspicious_process",
"time": 0.0
},
{
"name": "execute_scripts_via_microsoft_management_console",
"time": 0.0
},
{
"name": "execute_suspicious_processes_via_windows_mssql_service",
"time": 0.0
},
{
"name": "execution_from_self_extracting_archive",
"time": 0.0
},
{
"name": "ip_address_discovery_via_trusted_program",
"time": 0.0
},
{
"name": "load_dll_via_control_panel",
"time": 0.0
},
{
"name": "network_connection_via_suspicious_process",
"time": 0.0
},
{
"name": "potential_location_discovery_via_unusual_process",
"time": 0.0
},
{
"name": "store_executable_registry",
"time": 0.0
},
{
"name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent",
"time": 0.0
},
{
"name": "suspicious_java_execution_via_win_scripts",
"time": 0.0
},
{
"name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File",
"time": 0.0
},
{
"name": "uses_restart_manager_for_suspicious_activities",
"time": 0.0
},
{
"name": "modify_desktop_wallpaper",
"time": 0.0
},
{
"name": "move_file_on_reboot",
"time": 0.0
},
{
"name": "multiple_useragents",
"time": 0.0
},
{
"name": "network_anomaly",
"time": 0.0
},
{
"name": "network_bind",
"time": 0.0
},
{
"name": "network_cnc_https_archive",
"time": 0.0
},
{
"name": "network_cnc_https_free_webhosting",
"time": 0.0
},
{
"name": "network_cnc_https_generic",
"time": 0.0
},
{
"name": "network_cnc_https_interactsh",
"time": 0.0
},
{
"name": "network_cnc_https_opensource",
"time": 0.0
},
{
"name": "network_cnc_https_pastesite",
"time": 0.0
},
{
"name": "network_cnc_https_payload",
"time": 0.0
},
{
"name": "network_cnc_https_serviceinterface",
"time": 0.0
},
{
"name": "network_cnc_https_socialmedia",
"time": 0.0
},
{
"name": "network_cnc_https_telegram",
"time": 0.0
},
{
"name": "network_cnc_https_tempstorage",
"time": 0.0
},
{
"name": "network_cnc_https_temp_urldns",
"time": 0.0
},
{
"name": "network_cnc_https_urlshortener",
"time": 0.0
},
{
"name": "network_cnc_https_useragent",
"time": 0.0
},
{
"name": "network_cnc_smtps_exfil",
"time": 0.0
},
{
"name": "network_cnc_smtps_generic",
"time": 0.0
},
{
"name": "network_dns_idn",
"time": 0.0
},
{
"name": "network_dns_suspicious_querytype",
"time": 0.0
},
{
"name": "network_dns_tunneling_request",
"time": 0.0
},
{
"name": "network_document_http",
"time": 0.0
},
{
"name": "explorer_http",
"time": 0.0
},
{
"name": "network_fake_useragent",
"time": 0.0
},
{
"name": "legitimate_domain_abuse",
"time": 0.0
},
{
"name": "suspicious_communication_trusted_site",
"time": 0.0
},
{
"name": "network_tor",
"time": 0.0
},
{
"name": "office_com_load",
"time": 0.0
},
{
"name": "office_dotnet_load",
"time": 0.0
},
{
"name": "office_mshtml_load",
"time": 0.0
},
{
"name": "office_vb_load",
"time": 0.0
},
{
"name": "office_wmi_load",
"time": 0.0
},
{
"name": "office_cve2017_11882",
"time": 0.0
},
{
"name": "office_cve2017_11882_network",
"time": 0.0
},
{
"name": "office_cve_2021_40444",
"time": 0.0
},
{
"name": "office_cve_2021_40444_m2",
"time": 0.0
},
{
"name": "office_flash_load",
"time": 0.0
},
{
"name": "office_postscript",
"time": 0.0
},
{
"name": "office_suspicious_processes",
"time": 0.0
},
{
"name": "office_write_exe",
"time": 0.0
},
{
"name": "persistence_via_autodial_dll_registry",
"time": 0.0
},
{
"name": "persistence_autorun",
"time": 0.0
},
{
"name": "persistence_autorun_tasks",
"time": 0.0
},
{
"name": "persistence_bootexecute",
"time": 0.0
},
{
"name": "persistence_registry_script",
"time": 0.0
},
{
"name": "powershell_network_connection",
"time": 0.0
},
{
"name": "powershell_download",
"time": 0.0
},
{
"name": "powershell_request",
"time": 0.0
},
{
"name": "createtoolhelp32snapshot_module_enumeration",
"time": 0.0
},
{
"name": "enumerates_running_processes",
"time": 0.0
},
{
"name": "process_interest",
"time": 0.0
},
{
"name": "process_needed",
"time": 0.0
},
{
"name": "mass_data_encryption",
"time": 0.0
},
{
"name": "ransomware_file_modifications",
"time": 0.0
},
{
"name": "ransomware_message",
"time": 0.0
},
{
"name": "nemty_network_activity",
"time": 0.0
},
{
"name": "nemty_note",
"time": 0.0
},
{
"name": "sodinokibi_behavior",
"time": 0.0
},
{
"name": "stop_ransomware_registry",
"time": 0.0
},
{
"name": "blackrat_apis",
"time": 0.0
},
{
"name": "blackrat_network_activity",
"time": 0.0
},
{
"name": "blackrat_registry_keys",
"time": 0.0
},
{
"name": "dcrat_behavior",
"time": 0.0
},
{
"name": "karagany_system_event_objects",
"time": 0.0
},
{
"name": "rat_luminosity",
"time": 0.0
},
{
"name": "rat_nanocore",
"time": 0.0
},
{
"name": "netwire_behavior",
"time": 0.0
},
{
"name": "obliquerat_network_activity",
"time": 0.0
},
{
"name": "orcusrat_behavior",
"time": 0.0
},
{
"name": "trochilusrat_apis",
"time": 0.0
},
{
"name": "reads_self",
"time": 0.0
},
{
"name": "recon_beacon",
"time": 0.0
},
{
"name": "recon_programs",
"time": 0.0
},
{
"name": "recon_systeminfo",
"time": 0.0
},
{
"name": "accesses_recyclebin",
"time": 0.0
},
{
"name": "remcos_shell_code_dynamic_wrapper_x",
"time": 0.0
},
{
"name": "script_created_process",
"time": 0.0
},
{
"name": "script_network_activity",
"time": 0.0
},
{
"name": "suspicious_js_script",
"time": 0.0
},
{
"name": "javascript_timer",
"time": 0.0
},
{
"name": "secure_login_phishing",
"time": 0.0
},
{
"name": "securityxploded_modules",
"time": 0.0
},
{
"name": "get_clipboard_data",
"time": 0.0
},
{
"name": "sets_autoconfig_url",
"time": 0.0
},
{
"name": "spoofs_procname",
"time": 0.0
},
{
"name": "stack_pivot",
"time": 0.0
},
{
"name": "stack_pivot_file_created",
"time": 0.0
},
{
"name": "stack_pivot_process_create",
"time": 0.0
},
{
"name": "set_clipboard_data",
"time": 0.0
},
{
"name": "stealth_childproc",
"time": 0.0
},
{
"name": "stealth_file",
"time": 0.0
},
{
"name": "stealth_timeout",
"time": 0.0
},
{
"name": "stealth_window",
"time": 0.0
},
{
"name": "queries_keyboard_layout",
"time": 0.0
},
{
"name": "queries_locale_api",
"time": 0.0
},
{
"name": "terminates_remote_process",
"time": 0.0
},
{
"name": "uiautomationcore_load",
"time": 0.0
},
{
"name": "user_enum",
"time": 0.0
},
{
"name": "mmc_dll_script_load",
"time": 0.0
},
{
"name": "mmc_dotnet_load",
"time": 0.0
},
{
"name": "virus",
"time": 0.0
},
{
"name": "neshta_files",
"time": 0.0
},
{
"name": "neshta_regkeys",
"time": 0.0
},
{
"name": "webmail_phish",
"time": 0.0
},
{
"name": "persists_dev_util",
"time": 0.0
},
{
"name": "spawns_dev_util",
"time": 0.0
},
{
"name": "alters_windows_utility",
"time": 0.0
},
{
"name": "overwrites_accessibility_utility",
"time": 0.0
},
{
"name": "Potential_Lateral_Movement_Via_SMBEXEC",
"time": 0.0
},
{
"name": "potential_WebShell_Via_ScreenConnectServer",
"time": 0.0
},
{
"name": "uses_Microsoft_HTML_Help_Executable",
"time": 0.0
},
{
"name": "wiper_zeroedbytes",
"time": 0.0
},
{
"name": "wmi_create_process",
"time": 0.0
},
{
"name": "wmi_script_process",
"time": 0.0
},
{
"name": "antianalysis_tls_section",
"time": 0.0
},
{
"name": "antivirus_clamav",
"time": 0.0
},
{
"name": "antivirus_virustotal",
"time": 0.0
},
{
"name": "bad_certs",
"time": 0.0
},
{
"name": "bad_ssl_certs",
"time": 0.0
},
{
"name": "banker_zeus_p2p",
"time": 0.0
},
{
"name": "banker_zeus_url",
"time": 0.0
},
{
"name": "binary_yara",
"time": 0.0
},
{
"name": "bot_athenahttp",
"time": 0.0
},
{
"name": "bot_dirtjumper",
"time": 0.0
},
{
"name": "bot_drive",
"time": 0.0
},
{
"name": "bot_drive2",
"time": 0.0
},
{
"name": "bot_madness",
"time": 0.0
},
{
"name": "phishing_kit_detected",
"time": 0.0
},
{
"name": "family_proxyback",
"time": 0.0
},
{
"name": "flare_capa_antianalysis",
"time": 0.0
},
{
"name": "flare_capa_collection",
"time": 0.0
},
{
"name": "flare_capa_communication",
"time": 0.0
},
{
"name": "flare_capa_compiler",
"time": 0.0
},
{
"name": "flare_capa_datamanipulation",
"time": 0.0
},
{
"name": "flare_capa_executable",
"time": 0.0
},
{
"name": "flare_capa_hostinteraction",
"time": 0.0
},
{
"name": "flare_capa_impact",
"time": 0.0
},
{
"name": "flare_capa_lib",
"time": 0.0
},
{
"name": "flare_capa_linking",
"time": 0.0
},
{
"name": "flare_capa_loadcode",
"time": 0.0
},
{
"name": "flare_capa_malwarefamily",
"time": 0.0
},
{
"name": "flare_capa_nursery",
"time": 0.0
},
{
"name": "flare_capa_persistence",
"time": 0.0
},
{
"name": "flare_capa_runtime",
"time": 0.0
},
{
"name": "flare_capa_targeting",
"time": 0.0
},
{
"name": "threatfox",
"time": 0.0
},
{
"name": "log4shell",
"time": 0.0
},
{
"name": "mimics_extension",
"time": 0.0
},
{
"name": "network_country_distribution",
"time": 0.0
},
{
"name": "network_cnc_http",
"time": 0.004
},
{
"name": "network_ip_exe",
"time": 0.0
},
{
"name": "network_dga",
"time": 0.0
},
{
"name": "network_dga_fraunhofer",
"time": 0.0
},
{
"name": "network_dyndns",
"time": 0.003
},
{
"name": "network_excessive_udp",
"time": 0.0
},
{
"name": "network_http",
"time": 0.002
},
{
"name": "network_icmp",
"time": 0.0
},
{
"name": "network_irc",
"time": 0.0
},
{
"name": "network_open_proxy",
"time": 0.001
},
{
"name": "network_questionable_http_path",
"time": 0.0
},
{
"name": "network_questionable_https_path",
"time": 0.0
},
{
"name": "network_smtp",
"time": 0.0
},
{
"name": "network_torgateway",
"time": 0.001
},
{
"name": "origin_langid",
"time": 0.0
},
{
"name": "origin_resource_langid",
"time": 0.0
},
{
"name": "overlay",
"time": 0.0
},
{
"name": "packer_unknown_pe_section_name",
"time": 0.0
},
{
"name": "packer_aspack",
"time": 0.0
},
{
"name": "packer_aspirecrypt",
"time": 0.0
},
{
"name": "packer_bedsprotector",
"time": 0.0
},
{
"name": "packer_confuser",
"time": 0.0
},
{
"name": "packer_enigma",
"time": 0.0
},
{
"name": "packer_entropy",
"time": 0.0
},
{
"name": "packer_mpress",
"time": 0.0
},
{
"name": "packer_nate",
"time": 0.0
},
{
"name": "packer_nspack",
"time": 0.0
},
{
"name": "packer_smartassembly",
"time": 0.0
},
{
"name": "packer_spices",
"time": 0.0
},
{
"name": "packer_themida",
"time": 0.0
},
{
"name": "packer_titan",
"time": 0.0
},
{
"name": "packer_upx",
"time": 0.0
},
{
"name": "packer_vmprotect",
"time": 0.0
},
{
"name": "packer_yoda",
"time": 0.0
},
{
"name": "pdf_annot_urls_checker",
"time": 0.0
},
{
"name": "polymorphic",
"time": 0.0
},
{
"name": "punch_plus_plus_pcres",
"time": 0.0
},
{
"name": "procmem_yara",
"time": 0.0
},
{
"name": "recon_checkip",
"time": 0.0
},
{
"name": "static_authenticode",
"time": 0.0
},
{
"name": "invalid_authenticode_signature",
"time": 0.0
},
{
"name": "static_dotnet_anomaly",
"time": 0.0
},
{
"name": "static_java",
"time": 0.0
},
{
"name": "static_pdf",
"time": 0.0
},
{
"name": "contains_pe_overlay",
"time": 0.0
},
{
"name": "static_pe_anomaly",
"time": 0.0
},
{
"name": "pe_compile_timestomping",
"time": 0.0
},
{
"name": "static_pe_pdbpath",
"time": 0.0
},
{
"name": "static_rat_config",
"time": 0.0
},
{
"name": "static_versioninfo_anomaly",
"time": 0.0
},
{
"name": "suricata_alert",
"time": 0.0
},
{
"name": "suspicious_html_body",
"time": 0.0
},
{
"name": "suspicious_html_name",
"time": 0.0
},
{
"name": "suspicious_html_title",
"time": 0.0
},
{
"name": "volatility_devicetree_1",
"time": 0.0
},
{
"name": "volatility_handles_1",
"time": 0.0
},
{
"name": "volatility_ldrmodules_1",
"time": 0.0
},
{
"name": "volatility_ldrmodules_2",
"time": 0.0
},
{
"name": "volatility_malfind_1",
"time": 0.0
},
{
"name": "volatility_malfind_2",
"time": 0.0
},
{
"name": "volatility_modscan_1",
"time": 0.0
},
{
"name": "volatility_svcscan_1",
"time": 0.0
},
{
"name": "volatility_svcscan_2",
"time": 0.0
},
{
"name": "volatility_svcscan_3",
"time": 0.0
},
{
"name": "whois_create",
"time": 0.0
},
{
"name": "accesses_mailslot",
"time": 0.0
},
{
"name": "accesses_netlogon_regkey",
"time": 0.0
},
{
"name": "accesses_public_folder",
"time": 0.0
},
{
"name": "accesses_sysvol",
"time": 0.0
},
{
"name": "writes_sysvol",
"time": 0.0
},
{
"name": "adds_admin_user",
"time": 0.0
},
{
"name": "adds_user",
"time": 0.0
},
{
"name": "overwrites_admin_password",
"time": 0.0
},
{
"name": "antianalysis_detectfile",
"time": 0.002
},
{
"name": "antianalysis_detectreg",
"time": 0.001
},
{
"name": "modify_attachment_manager",
"time": 0.0
},
{
"name": "antiav_detectfile",
"time": 0.004
},
{
"name": "antiav_detectreg",
"time": 0.005
},
{
"name": "antiav_srp",
"time": 0.0
},
{
"name": "antiav_whitespace",
"time": 0.0
},
{
"name": "antidebug_devices",
"time": 0.001
},
{
"name": "antiemu_windefend",
"time": 0.0
},
{
"name": "antiemu_wine_reg",
"time": 0.0
},
{
"name": "antisandbox_cuckoo_files",
"time": 0.0
},
{
"name": "antisandbox_fortinet_files",
"time": 0.0
},
{
"name": "antisandbox_joe_anubis_files",
"time": 0.0
},
{
"name": "antisandbox_sboxie_mutex",
"time": 0.0
},
{
"name": "antisandbox_sunbelt_files",
"time": 0.0
},
{
"name": "antisandbox_threattrack_files",
"time": 0.0
},
{
"name": "antivm_bochs_keys",
"time": 0.0
},
{
"name": "antivm_generic_bios",
"time": 0.0
},
{
"name": "antivm_generic_diskreg",
"time": 0.0
},
{
"name": "antivm_hyperv_keys",
"time": 0.0
},
{
"name": "antivm_parallels_keys",
"time": 0.0
},
{
"name": "antivm_recentdocs",
"time": 0.0
},
{
"name": "antivm_vbox_devices",
"time": 0.0
},
{
"name": "antivm_vbox_files",
"time": 0.002
},
{
"name": "antivm_vbox_keys",
"time": 0.001
},
{
"name": "antivm_vmware_devices",
"time": 0.0
},
{
"name": "antivm_vmware_files",
"time": 0.001
},
{
"name": "antivm_vmware_keys",
"time": 0.0
},
{
"name": "antivm_vmware_mutexes",
"time": 0.0
},
{
"name": "antivm_vpc_files",
"time": 0.0
},
{
"name": "antivm_vpc_keys",
"time": 0.0
},
{
"name": "antivm_vpc_mutex",
"time": 0.0
},
{
"name": "antivm_xen_keys",
"time": 0.0
},
{
"name": "asyncrat_mutex",
"time": 0.0
},
{
"name": "gulpix_behavior",
"time": 0.0
},
{
"name": "ketrican_regkeys",
"time": 0.0
},
{
"name": "okrum_mutexes",
"time": 0.0
},
{
"name": "banker_cridex",
"time": 0.0
},
{
"name": "geodo_banking_trojan",
"time": 0.001
},
{
"name": "banker_spyeye_mutexes",
"time": 0.0
},
{
"name": "banker_zeus_mutex",
"time": 0.0
},
{
"name": "bitcoin_opencl",
"time": 0.0
},
{
"name": "enumerates_physical_drives",
"time": 0.0
},
{
"name": "bot_russkill",
"time": 0.0
},
{
"name": "browser_addon",
"time": 0.0
},
{
"name": "chromium_browser_extension_directory",
"time": 0.0
},
{
"name": "browser_helper_object",
"time": 0.0
},
{
"name": "browser_security",
"time": 0.001
},
{
"name": "browser_startpage",
"time": 0.0
},
{
"name": "ie_disables_process_tab",
"time": 0.0
},
{
"name": "odbcconf_bypass",
"time": 0.0
},
{
"name": "squiblydoo_bypass",
"time": 0.0
},
{
"name": "squiblytwo_bypass",
"time": 0.0
},
{
"name": "bypass_chromium_protection",
"time": 0.0
},
{
"name": "bypass_firewall",
"time": 0.0
},
{
"name": "checks_uac_status",
"time": 0.0
},
{
"name": "uac_bypass_cmstpcom",
"time": 0.0
},
{
"name": "uac_bypass_delegateexecute_sdclt",
"time": 0.0
},
{
"name": "uac_bypass_fodhelper",
"time": 0.0
},
{
"name": "cape_extracted_content",
"time": 0.0
},
{
"name": "carberp_mutex",
"time": 0.0
},
{
"name": "clears_logs",
"time": 0.0
},
{
"name": "cmdline_obfuscation",
"time": 0.0
},
{
"name": "cmdline_switches",
"time": 0.0
},
{
"name": "cmdline_terminate",
"time": 0.0
},
{
"name": "cmdline_forfiles_wildcard",
"time": 0.0
},
{
"name": "cmdline_http_link",
"time": 0.0
},
{
"name": "cmdline_long_string",
"time": 0.0
},
{
"name": "cmdline_reversed_http_link",
"time": 0.0
},
{
"name": "long_commandline",
"time": 0.0
},
{
"name": "powershell_renamed_commandline",
"time": 0.0
},
{
"name": "copies_self",
"time": 0.0
},
{
"name": "credwiz_credentialaccess",
"time": 0.0
},
{
"name": "enables_wdigest",
"time": 0.0
},
{
"name": "vaultcmd_credentialaccess",
"time": 0.0
},
{
"name": "file_credential_store_access",
"time": 0.0
},
{
"name": "file_credential_store_write",
"time": 0.0
},
{
"name": "kerberos_credential_access_via_rubeus",
"time": 0.0
},
{
"name": "registry_credential_dumping",
"time": 0.0
},
{
"name": "registry_credential_store_access",
"time": 0.0
},
{
"name": "registry_lsa_secrets_access",
"time": 0.0
},
{
"name": "comsvcs_credentialdump",
"time": 0.0
},
{
"name": "cryptomining_stratum_command",
"time": 0.0
},
{
"name": "cypherit_mutexes",
"time": 0.0
},
{
"name": "darkcomet_regkeys",
"time": 0.0
},
{
"name": "datop_loader",
"time": 0.0
},
{
"name": "deepfreeze_mutex",
"time": 0.0
},
{
"name": "deletes_executed_files",
"time": 0.0
},
{
"name": "disables_app_launch",
"time": 0.0
},
{
"name": "disables_auto_app_termination",
"time": 0.0
},
{
"name": "disables_appv_virtualization",
"time": 0.0
},
{
"name": "disables_backups",
"time": 0.001
},
{
"name": "disables_browser_warn",
"time": 0.001
},
{
"name": "disables_context_menus",
"time": 0.0
},
{
"name": "disables_cpl_disable",
"time": 0.0
},
{
"name": "disables_crashdumps",
"time": 0.0
},
{
"name": "disables_event_logging",
"time": 0.0
},
{
"name": "disables_folder_options",
"time": 0.0
},
{
"name": "disables_notificationcenter",
"time": 0.0
},
{
"name": "disables_power_options",
"time": 0.001
},
{
"name": "disables_restore_default_state",
"time": 0.0
},
{
"name": "disables_run_command",
"time": 0.0
},
{
"name": "disables_smartscreen",
"time": 0.0
},
{
"name": "disables_startmenu_search",
"time": 0.0
},
{
"name": "disables_system_restore",
"time": 0.0
},
{
"name": "disables_uac",
"time": 0.0
},
{
"name": "disables_wer",
"time": 0.0
},
{
"name": "disables_windows_defender",
"time": 0.0
},
{
"name": "disables_windows_defender_logging",
"time": 0.0
},
{
"name": "removes_windows_defender_contextmenu",
"time": 0.0
},
{
"name": "removes_windows_defender_updates",
"time": 0.0
},
{
"name": "windows_defender_powershell",
"time": 0.0
},
{
"name": "disables_windows_file_protection",
"time": 0.0
},
{
"name": "disables_windowsupdate",
"time": 0.0
},
{
"name": "disables_winfirewall",
"time": 0.0
},
{
"name": "discover_registry_mount_points",
"time": 0.0
},
{
"name": "adfind_domain_enumeration",
"time": 0.0
},
{
"name": "domain_enumeration_commands",
"time": 0.0
},
{
"name": "andromut_mutexes",
"time": 0.0
},
{
"name": "downloader_cabby",
"time": 0.0
},
{
"name": "phorpiex_mutexes",
"time": 0.0
},
{
"name": "protonbot_mutexes",
"time": 0.0
},
{
"name": "driver_filtermanager",
"time": 0.0
},
{
"name": "dropper",
"time": 0.0
},
{
"name": "dll_archive_execution",
"time": 0.0
},
{
"name": "lnk_archive_execution",
"time": 0.0
},
{
"name": "script_archive_execution",
"time": 0.0
},
{
"name": "excel4_macro_urls",
"time": 0.0
},
{
"name": "escalate_privilege_via_ntlm_relay",
"time": 0.0
},
{
"name": "spooler_access",
"time": 0.0
},
{
"name": "spooler_svc_start",
"time": 0.0
},
{
"name": "mapped_drives_uac",
"time": 0.0
},
{
"name": "hides_recycle_bin_icon",
"time": 0.0
},
{
"name": "apocalypse_stealer_file_behavior",
"time": 0.0
},
{
"name": "arkei_files",
"time": 0.0
},
{
"name": "azorult_mutexes",
"time": 0.001
},
{
"name": "infostealer_bitcoin",
"time": 0.002
},
{
"name": "cryptbot_files",
"time": 0.0
},
{
"name": "echelon_files",
"time": 0.001
},
{
"name": "infostealer_ftp",
"time": 0.003
},
{
"name": "infostealer_im",
"time": 0.002
},
{
"name": "infostealer_mail",
"time": 0.002
},
{
"name": "masslogger_files",
"time": 0.0
},
{
"name": "poullight_files",
"time": 0.001
},
{
"name": "purplewave_mutexes",
"time": 0.0
},
{
"name": "quilclipper_mutexes",
"time": 0.0
},
{
"name": "qulab_files",
"time": 0.001
},
{
"name": "qulab_mutexes",
"time": 0.0
},
{
"name": "asyncrat_mutex",
"time": 0.0
},
{
"name": "Evade_Execution_Via_ASPNet_Compiler",
"time": 0.0
},
{
"name": "Evade_Execute_Via_DeviceCredentialDeployment",
"time": 0.0
},
{
"name": "Evade_Execution_Via_Filter_Manager_Control",
"time": 0.0
},
{
"name": "Evade_Execution_Via_Intel_GFXDownloadWrapper",
"time": 0.0
},
{
"name": "execute_binary_via_appvlp",
"time": 0.0
},
{
"name": "execute_binary_via_pcalua",
"time": 0.0
},
{
"name": "Execute_Binary_Via_OpenSSH",
"time": 0.0
},
{
"name": "execute_binary_via_pcalua",
"time": 0.0
},
{
"name": "Execute_Binary_Via_PesterPSModule",
"time": 0.0
},
{
"name": "Execute_Binary_Via_ScriptRunner",
"time": 0.0
},
{
"name": "execute_binary_via_ttdinject",
"time": 0.0
},
{
"name": "Execute_Binary_Via_VisualStudioLiveShare",
"time": 0.0
},
{
"name": "Execute_Msiexec_Via_Explorer",
"time": 0.0
},
{
"name": "execute_remote_msi",
"time": 0.0
},
{
"name": "execute_suspicious_powershell_via_runscripthelper",
"time": 0.0
},
{
"name": "execute_suspicious_powershell_via_sqlps",
"time": 0.0
},
{
"name": "Indirect_Command_Execution_Via_ConsoleWindowHost",
"time": 0.0
},
{
"name": "Perform_Malicious_Activities_Via_Headless_Browser",
"time": 0.0
},
{
"name": "Register_DLL_Via_CertOC",
"time": 0.0
},
{
"name": "Register_DLL_Via_MSIEXEC",
"time": 0.0
},
{
"name": "Register_DLL_Via_Odbcconf",
"time": 0.0
},
{
"name": "Scriptlet_Proxy_Execution_Via_Pubprn",
"time": 0.0
},
{
"name": "ie_martian_children",
"time": 0.0
},
{
"name": "office_martian_children",
"time": 0.0
},
{
"name": "mimics_icon",
"time": 0.0
},
{
"name": "masquerade_process_name",
"time": 0.002
},
{
"name": "mimikatz_modules",
"time": 0.0
},
{
"name": "ms_office_cmd_rce",
"time": 0.0
},
{
"name": "mount_copy_to_webdav_share",
"time": 0.0
},
{
"name": "potential_protocol_tunneling_via_legit_utilities",
"time": 0.0
},
{
"name": "potential_protocol_tunneling_via_qemu",
"time": 0.0
},
{
"name": "suspicious_execution_via_dotnet_remoting",
"time": 0.0
},
{
"name": "modify_certs",
"time": 0.0
},
{
"name": "dotnet_clr_usagelog_regkeys",
"time": 0.0
},
{
"name": "modify_hostfile",
"time": 0.0
},
{
"name": "modify_oem_information",
"time": 0.0
},
{
"name": "modify_security_center_warnings",
"time": 0.0
},
{
"name": "modify_uac_prompt",
"time": 0.0
},
{
"name": "network_dns_blockchain",
"time": 0.0
},
{
"name": "network_dns_opennic",
"time": 0.001
},
{
"name": "network_dns_paste_site",
"time": 0.001
},
{
"name": "network_dns_reverse_proxy",
"time": 0.0
},
{
"name": "network_dns_temp_file_storage",
"time": 0.001
},
{
"name": "network_dns_temp_urldns",
"time": 0.0
},
{
"name": "network_dns_url_shortener",
"time": 0.008
},
{
"name": "network_dns_doh_tls",
"time": 0.0
},
{
"name": "suspicious_tld",
"time": 0.006
},
{
"name": "network_tor_service",
"time": 0.0
},
{
"name": "office_code_page",
"time": 0.0
},
{
"name": "office_addinloading",
"time": 0.0
},
{
"name": "office_perfkey",
"time": 0.0
},
{
"name": "office_macro",
"time": 0.0
},
{
"name": "changes_trust_center_settings",
"time": 0.0
},
{
"name": "disables_vba_trust_access",
"time": 0.0
},
{
"name": "office_macro_autoexecution",
"time": 0.0
},
{
"name": "office_macro_ioc",
"time": 0.0
},
{
"name": "office_macro_malicious_prediction",
"time": 0.0
},
{
"name": "office_macro_suspicious",
"time": 0.0
},
{
"name": "rtf_aslr_bypass",
"time": 0.0
},
{
"name": "rtf_anomaly_characterset",
"time": 0.0
},
{
"name": "rtf_anomaly_version",
"time": 0.0
},
{
"name": "rtf_embedded_content",
"time": 0.0
},
{
"name": "rtf_embedded_office_file",
"time": 0.0
},
{
"name": "rtf_exploit_static",
"time": 0.0
},
{
"name": "office_security",
"time": 0.0
},
{
"name": "accesses_office_username",
"time": 0.0
},
{
"name": "office_anomalous_feature",
"time": 0.0
},
{
"name": "office_dde_command",
"time": 0.0
},
{
"name": "packer_armadillo_mutex",
"time": 0.0
},
{
"name": "packer_armadillo_regkey",
"time": 0.0
},
{
"name": "persistence_ads",
"time": 0.0
},
{
"name": "persistence_safeboot",
"time": 0.0
},
{
"name": "persistence_ifeo",
"time": 0.0
},
{
"name": "persistence_silent_process_exit",
"time": 0.0
},
{
"name": "persistence_rdp_registry",
"time": 0.0
},
{
"name": "persistence_rdp_shadowing",
"time": 0.0
},
{
"name": "persistence_service",
"time": 0.0
},
{
"name": "persistence_shim_database",
"time": 0.0
},
{
"name": "powerpool_mutexes",
"time": 0.0
},
{
"name": "powershell_scriptblock_logging",
"time": 0.0
},
{
"name": "powershell_command_suspicious",
"time": 0.0
},
{
"name": "powershell_history_save_mod",
"time": 0.0
},
{
"name": "powershell_renamed",
"time": 0.0
},
{
"name": "powershell_reversed",
"time": 0.0
},
{
"name": "powershell_variable_obfuscation",
"time": 0.0
},
{
"name": "prevents_safeboot",
"time": 0.0
},
{
"name": "cmdline_process_discovery",
"time": 0.0
},
{
"name": "cryptomix_mutexes",
"time": 0.0
},
{
"name": "dharma_mutexes",
"time": 0.0
},
{
"name": "ransomware_extensions_generic",
"time": 0.0
},
{
"name": "ransomware_extensions_known",
"time": 0.004
},
{
"name": "ransomware_files",
"time": 0.006
},
{
"name": "fonix_mutexes",
"time": 0.0
},
{
"name": "gandcrab_mutexes",
"time": 0.0
},
{
"name": "germanwiper_mutexes",
"time": 0.0
},
{
"name": "medusalocker_mutexes",
"time": 0.0
},
{
"name": "medusalocker_regkeys",
"time": 0.0
},
{
"name": "nemty_mutexes",
"time": 0.0
},
{
"name": "nemty_regkeys",
"time": 0.0
},
{
"name": "pysa_mutexes",
"time": 0.0
},
{
"name": "ransomware_radamant",
"time": 0.0
},
{
"name": "ransomware_recyclebin",
"time": 0.0
},
{
"name": "revil_mutexes",
"time": 0.001
},
{
"name": "ransomware_revil_regkey",
"time": 0.0
},
{
"name": "satan_mutexes",
"time": 0.0
},
{
"name": "snake_ransom_mutexes",
"time": 0.0
},
{
"name": "stop_ransom_mutexes",
"time": 0.0
},
{
"name": "stop_ransomware_cmd",
"time": 0.0
},
{
"name": "ransomware_stopdjvu",
"time": 0.0
},
{
"name": "rat_beebus_mutexes",
"time": 0.0
},
{
"name": "blacknet_mutexes",
"time": 0.0
},
{
"name": "blackrat_mutexes",
"time": 0.0
},
{
"name": "crat_mutexes",
"time": 0.0
},
{
"name": "dcrat_files",
"time": 0.0
},
{
"name": "dcrat_mutexes",
"time": 0.0
},
{
"name": "rat_fynloski_mutexes",
"time": 0.0
},
{
"name": "limerat_mutexes",
"time": 0.0
},
{
"name": "limerat_regkeys",
"time": 0.0
},
{
"name": "lodarat_file_behavior",
"time": 0.0
},
{
"name": "modirat_behavior",
"time": 0.0
},
{
"name": "njrat_regkeys",
"time": 0.0
},
{
"name": "obliquerat_files",
"time": 0.0
},
{
"name": "obliquerat_mutexes",
"time": 0.0
},
{
"name": "parallax_mutexes",
"time": 0.0
},
{
"name": "rat_pcclient",
"time": 0.0
},
{
"name": "rat_plugx_mutexes",
"time": 0.0
},
{
"name": "rat_poisonivy_mutexes",
"time": 0.0
},
{
"name": "rat_quasar_mutexes",
"time": 0.0
},
{
"name": "ratsnif_mutexes",
"time": 0.0
},
{
"name": "rat_spynet",
"time": 0.0
},
{
"name": "venomrat_mutexes",
"time": 0.0
},
{
"name": "warzonerat_files",
"time": 0.0
},
{
"name": "warzonerat_regkeys",
"time": 0.0
},
{
"name": "xpertrat_files",
"time": 0.0
},
{
"name": "xpertrat_mutexes",
"time": 0.0
},
{
"name": "rat_xtreme_mutexes",
"time": 0.0
},
{
"name": "reads_password_database",
"time": 0.0
},
{
"name": "recon_fingerprint",
"time": 0.0
},
{
"name": "remcos_files",
"time": 0.0
},
{
"name": "remcos_mutexes",
"time": 0.0
},
{
"name": "remcos_regkeys",
"time": 0.0
},
{
"name": "rdptcp_key",
"time": 0.0
},
{
"name": "uses_rdp_clip",
"time": 0.0
},
{
"name": "uses_remote_desktop_session",
"time": 0.0
},
{
"name": "removes_networking_icon",
"time": 0.0
},
{
"name": "removes_pinned_programs",
"time": 0.0
},
{
"name": "removes_security_maintenance_icon",
"time": 0.0
},
{
"name": "removes_startmenu_defaults",
"time": 0.0
},
{
"name": "removes_username_startmenu",
"time": 0.0
},
{
"name": "spicyhotpot_behavior",
"time": 0.0
},
{
"name": "sniffer_winpcap",
"time": 0.0
},
{
"name": "spreading_autoruninf",
"time": 0.0
},
{
"name": "stealth_hidden_extension",
"time": 0.0
},
{
"name": "stealth_hiddenreg",
"time": 0.0
},
{
"name": "stealth_hide_notifications",
"time": 0.0
},
{
"name": "stealth_webhistory",
"time": 0.0
},
{
"name": "sysinternals_psexec",
"time": 0.0
},
{
"name": "sysinternals_tools",
"time": 0.0
},
{
"name": "language_check_registry",
"time": 0.0
},
{
"name": "tampers_etw",
"time": 0.0
},
{
"name": "lsa_tampering",
"time": 0.0
},
{
"name": "tampers_powershell_logging",
"time": 0.0
},
{
"name": "targeted_flame",
"time": 0.0
},
{
"name": "territorial_disputes_sigs",
"time": 0.002
},
{
"name": "trickbot_mutex",
"time": 0.0
},
{
"name": "fleercivet_mutex",
"time": 0.0
},
{
"name": "lokibot_mutexes",
"time": 0.0
},
{
"name": "ursnif_behavior",
"time": 0.001
},
{
"name": "uses_adfind",
"time": 0.0
},
{
"name": "uses_ms_protocol",
"time": 0.0
},
{
"name": "neshta_mutexes",
"time": 0.0
},
{
"name": "renamer_mutexes",
"time": 0.0
},
{
"name": "owa_web_shell_files",
"time": 0.0
},
{
"name": "web_shell_files",
"time": 0.0
},
{
"name": "web_shell_processes",
"time": 0.0
},
{
"name": "dotnet_csc_build",
"time": 0.0
},
{
"name": "mavinject_lolbin",
"time": 0.0
},
{
"name": "multiple_explorer_instances",
"time": 0.0
},
{
"name": "script_tool_executed",
"time": 0.0
},
{
"name": "suspicious_certutil_use",
"time": 0.0
},
{
"name": "suspicious_command_tools",
"time": 0.0
},
{
"name": "suspicious_mpcmdrun_use",
"time": 0.0
},
{
"name": "suspicious_ping_use",
"time": 0.0
},
{
"name": "uses_powershell_copyitem",
"time": 0.0
},
{
"name": "uses_windows_utilities",
"time": 0.0
},
{
"name": "uses_windows_utilities_appcmd",
"time": 0.0
},
{
"name": "uses_windows_utilities_csvde_ldifde",
"time": 0.0
},
{
"name": "uses_windows_utilities_cipher",
"time": 0.0
},
{
"name": "uses_windows_utilities_clickonce",
"time": 0.0
},
{
"name": "uses_windows_utilities_curl",
"time": 0.0
},
{
"name": "uses_windows_utilities_dsquery",
"time": 0.0
},
{
"name": "uses_windows_utilities_esentutl",
"time": 0.0
},
{
"name": "uses_windows_utilities_finger",
"time": 0.0
},
{
"name": "uses_windows_utilities_mode",
"time": 0.0
},
{
"name": "uses_windows_utilities_ntdsutil",
"time": 0.0
},
{
"name": "uses_windows_utilities_nltest",
"time": 0.0
},
{
"name": "uses_windows_utilities_setx",
"time": 0.0
},
{
"name": "uses_windows_utilities_xcopy",
"time": 0.0
},
{
"name": "wmic_command_suspicious",
"time": 0.0
},
{
"name": "scrcons_wmi_script_consumer",
"time": 0.0
},
{
"name": "allaple_mutexes",
"time": 0.0
}
],
"reporting": [
{
"name": "BinGraph",
"time": 0.0
}
]
},
"target": {
"category": "file",
"file": {
"name": "System.Data.SQLite.dll",
"path": "/opt/CAPEv2/storage/binaries/f0d4beab24e94e61f219df451d90dbba3d0f48539f9b6a448f91e0c94b4e80c4",
"guest_paths": "",
"size": 262144,
"crc32": "DCC58C55",
"md5": "dd3d6f00b1aba3f1d9338d9727ab5f17",
"sha1": "faf9364a7ab15f27c93a6e6f97fa025030c9dad7",
"sha256": "f0d4beab24e94e61f219df451d90dbba3d0f48539f9b6a448f91e0c94b4e80c4",
"sha512": "0794d850a133a98affe627e3023114b229b982e507d366895ece6a1ef99b42d708554c64b52f0f2ed63673e1c5aeea7e794085d45f0797159e21ba4efdf23cd7",
"rh_hash": null,
"ssdeep": "6144:icvnEsATddHqgM69uZ5iFNFGFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchF1:icvnEygM69uZ8FNFGFOFwcGF6cmFWc0z",
"type": "PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows",
"yara": [
{
"name": "NETDLLMicrosoft",
"meta": {
"author": "malware-lu"
},
"strings": [
"{ 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }"
],
"addresses": {
"a0": 251706
}
},
{
"name": "IsPE32",
"meta": {},
"strings": [],
"addresses": {}
},
{
"name": "IsNET_DLL",
"meta": {},
"strings": [],
"addresses": {}
},
{
"name": "IsDLL",
"meta": {},
"strings": [],
"addresses": {}
},
{
"name": "IsConsole",
"meta": {},
"strings": [],
"addresses": {}
},
{
"name": "HasDebugData",
"meta": {
"author": "_pusher_",
"description": "DebugData Check",
"date": "2016-07"
},
"strings": [],
"addresses": {}
},
{
"name": "Microsoft_Visual_Studio_NET",
"meta": {},
"strings": [
"{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }"
],
"addresses": {
"a": 251742
}
},
{
"name": "Microsoft_Visual_C_v70_Basic_NET_additional",
"meta": {},
"strings": [
"{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }"
],
"addresses": {
"a": 251742
}
},
{
"name": "Microsoft_Visual_C_Basic_NET",
"meta": {},
"strings": [
"{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }"
],
"addresses": {
"b": 251742
}
},
{
"name": "Microsoft_Visual_Studio_NET_additional",
"meta": {},
"strings": [
"{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }"
],
"addresses": {
"a": 251742
}
},
{
"name": "Microsoft_Visual_C_v70_Basic_NET",
"meta": {},
"strings": [
"{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }"
],
"addresses": {
"b": 251742
}
},
{
"name": "NET_executable_",
"meta": {},
"strings": [
"{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }"
],
"addresses": {
"a": 251742
}
},
{
"name": "NET_executable",
"meta": {},
"strings": [
"{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }"
],
"addresses": {
"b": 251742
}
}
],
"cape_yara": [],
"clamav": [],
"tlsh": "T1A444396477EC264AE2FF92B8E8A065804770F827566BD309BCC420DE5C76F806953B77",
"sha3_384": "c1769261a16c95516d9ea38edc4b478789084b044b3930b173767d1cea06c22f222c87ddde19889c593d2643ae0e79eb",
"yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d",
"options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
"pe": {
"guest_signers": {
"aux_sha1": null,
"aux_timestamp": null,
"aux_valid": false,
"aux_error": true,
"aux_error_desc": "No signature found.",
"aux_signers": []
},
"digital_signers": [],
"imagebase": "0x00400000",
"entrypoint": "0x0003e75e",
"ep_bytes": "ff250020400000000000000000000000",
"peid_signatures": null,
"reported_checksum": "0x000485d9",
"actual_checksum": "0x000485d9",
"osversion": "4.0",
"machine_type": "IMAGE_FILE_MACHINE_I386",
"pdbpath": "c:\\dev\\sqlite\\dotnet\\obj\\2005\\Release\\System.Data.SQLite.pdb",
"imports": {
"mscoree": {
"dll": "mscoree.dll",
"imports": [
{
"address": "0x402000",
"name": "_CorDllMain"
}
]
}
},
"exported_dll_name": null,
"exports": [],
"dirents": [
{
"name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
"virtual_address": "0x0003e708",
"size": "0x00000053"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
"virtual_address": "0x00040000",
"size": "0x00000420"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
"virtual_address": "0x00042000",
"size": "0x0000000c"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
"virtual_address": "0x0003e694",
"size": "0x0000001c"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_TLS",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_IAT",
"virtual_address": "0x00002000",
"size": "0x00000008"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
"virtual_address": "0x00002008",
"size": "0x00000048"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
"virtual_address": "0x00000000",
"size": "0x00000000"
}
],
"sections": [
{
"name": ".text",
"raw_address": "0x00001000",
"virtual_address": "0x00002000",
"virtual_size": "0x0003c764",
"size_of_data": "0x0003d000",
"characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x60000020",
"entropy": "5.95"
},
{
"name": ".rsrc",
"raw_address": "0x0003e000",
"virtual_address": "0x00040000",
"virtual_size": "0x00000420",
"size_of_data": "0x00001000",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x40000040",
"entropy": "1.08"
},
{
"name": ".reloc",
"raw_address": "0x0003f000",
"virtual_address": "0x00042000",
"virtual_size": "0x0000000c",
"size_of_data": "0x00001000",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x42000040",
"entropy": "0.02"
}
],
"overlay": null,
"resources": [
{
"name": "RT_VERSION",
"offset": "0x00040058",
"size": "0x000003c8",
"filetype": null,
"language": "LANG_NEUTRAL",
"sublanguage": "SUBLANG_NEUTRAL",
"entropy": "3.36"
}
],
"versioninfo": [
{
"name": "Translation",
"value": "0x0000 0x04b0"
},
{
"name": "Comments",
"value": "ADO.NET Data Provider for SQLite"
},
{
"name": "CompanyName",
"value": "http://system.data.sqlite.org/"
},
{
"name": "FileDescription",
"value": "System.Data.SQLite Core"
},
{
"name": "FileVersion",
"value": "1.0.88.0"
},
{
"name": "InternalName",
"value": "System.Data.SQLite.dll"
},
{
"name": "LegalCopyright",
"value": "Public Domain"
},
{
"name": "OriginalFilename",
"value": "System.Data.SQLite.dll"
},
{
"name": "ProductName",
"value": "System.Data.SQLite"
},
{
"name": "ProductVersion",
"value": "1.0.88.0"
},
{
"name": "Assembly Version",
"value": "1.0.88.0"
}
],
"imphash": "dae02f32a21e03ce65412f6e56942daa",
"timestamp": "2013-08-07 20:10:35",
"icon": null,
"icon_hash": null,
"icon_fuzzy": null,
"icon_dhash": null,
"imported_dll_count": 1
},
"data": null,
"strings": [
"sourceCommand",
"retryMilliseconds",
"fieldOffset",
"sqlite3_bind_int",
"Environment",
"IEnlistmentNotification",
"InvalidCastException",
"Bind_ParamName",
"HH:mm:ss.FFFFFFF",
"SELECT {0} FROM [{1}].[{2}] WHERE ROWID = ?",
"sqlite3_exec",
"ReleaseHandle",
"System.Resources",
"xSync",
"sqlite3_column_blob",
"Random",
" blob",
"SerializationInfo",
"Bind_Text",
"synchronous",
"Int32",
"GetUInt64",
"message",
"_types",
"SELECT * FROM [{0}].[{2}] WHERE [type] LIKE 'index' AND [name] LIKE '{1}'",
"IMAGE",
"FindFunction",
"_designTimeVisible",
"TraceCallback",
"_nullMapping",
"already hit end of enumerator",
"set_ItemArray",
"Loading extensions is disabled for this database connection.",
"ISQLiteNativeModule",
" 4",
"UnsafeNativeMethods",
"System.Text",
"EnableExtensions",
"IndexString",
"Reader",
"LogErrors",
"Changed",
"_parameterCollection",
"ptrCollSeq",
"DebuggableAttribute",
"pModule",
"FuncType",
"Opening",
"get_LogExceptionsNoThrow",
"ToDouble",
"sqlite3_column_type",
"set_QuoteSuffix",
"VarFileInfo",
" numeric",
"get_Transaction",
"Depth",
"COLLATION_SCHEMA",
"DesignerAttribute",
"colllen",
"get_SQLiteSourceId",
"IEnumerable",
"CreateCommand",
"get_ToFullPath",
"ColumnOriginalName",
"sqlite3_result_text",
"IS_UPDATABLE",
"strCommand",
"Rollback",
"PropertyDescriptor",
"Password can only be set before the database is opened.",
"_StepFunc",
"GetReferencedAssemblies",
" varchar({0})",
"set_LegacyFormat",
"_parameterList",
"InvariantCulture",
"SetErrorNoMemory",
"System.Collections.Generic.IEnumerator.Current",
"Catalogs",
"No_SQLiteFunctions",
"GetCursorForTable",
"IDbTransaction",
"FileStream",
"MemberInfo",
"items",
"foreign keys",
"UINT64",
"array",
"SQLiteConnectionEventType",
"_transactionLevel",
"context",
" ",
"NoCase",
"ProductVersion",
"SchemaTableOptionalColumn",
"sqlite3_finalize_interop",
"",
"ReturnText",
"UNIQUE",
"CHARACTER_SET_NAME",
"yyyy-MM-dd HH:mmK",
"TRIGGER_NAME",
" System.Int16",
"DbProviderSpecificTypePropertyAttribute",
"toFullPath",
" long",
"ProductName",
"useColumnsForParameterNames",
"NumericScale",
"version",
"get_ParseViaFramework",
"SQLiteTypeToType",
"IsClosed",
"indexNumber",
"remove_StateChange",
"FromIntPtr",
"error",
"DefaultForeignKeys",
"yyyyMMddHHmm",
"remove_RowUpdated",
"columnToParent",
" Columns",
"sqlite3_vtab_cursor",
"BINARY",
"SQLiteTransaction",
"get_SetDefaults",
"get_DbConnection",
"ToChar",
"Caught exception in \"Dispose\" method: {0}",
"Translation",
"Bind_Blob",
"mscorlib",
"sqlite3_next_stmt",
"ModuleNotAvailableCursorError",
"NumericPrecision",
"read only",
"SQLiteCommitCallback",
"BaseColumnName",
"SQLiteCommitHandler",
"Default",
"CreateDataAdapter",
"set_CacheSize",
"ToLower",
"TABLECOLUMNS",
"pSystem.ComponentModel.StringConverter, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
" smalldate",
"SetExtendedResultCodes",
"NotFound",
"ObjectDisposedException",
"_readingState",
"Sleep",
"get_Types",
"LONGCHAR",
"TryGetChanges",
"NVARCHAR",
"GetString",
"sqlite3_context_collseq_interop",
"IndexNumber",
":memory:",
"iSavepoint",
"GetTypeAffinity",
"collectionName",
"TryParseEnum",
"GetFloat",
"DefaultEnlist",
"Decimal",
"ToSingle",
" nvarchar",
"sqlite3_rekey",
"SQLITE_CONFIG_MALLOC",
"Commit",
"binaryguid",
"Schema_IndexColumns",
"UTF16BE",
"SetConnectionPool",
"0%0?0N0Y0y1",
"Split",
"xBestIndex",
"DeclareFunction",
"GetRowIdFromObject",
"BEGIN IMMEDIATE",
"EntryPointNotFoundException",
"propertyList",
"sortMode",
"nOrderBy",
"StaticSetMemoryStatus",
"AllocateCursor",
"get_PageSize",
"outputs",
"INDEX_DEFINITION",
"get_FuncType",
"handle",
"set_Connection",
"Transaction is not associated with the command's connection",
"sqlite3_table_column_metadata_interop",
"Release",
"OptionList",
"set_DbType",
"Statement {0} paramter #{1} name is {{{2}}}.",
"nPage",
"Caught exception in \"Final\" method: {1}",
"NativeHandle",
"set_Direction",
"yy-MM-dd",
"System",
"get_CurrentInfo",
"_usePool",
"{1}_PK_{0}",
"Statement",
"SQLiteFactory",
"get_NativeHandle",
"CONSTRAINT_TYPE",
"ToolboxItemAttribute",
"MemoryFileName",
"set_LogExceptions",
"SYSTEM_TABLE",
"DbCommand",
"BuildNextCommand",
"SecurityPermissionAttribute",
"get_IndexString",
"sender",
"\"#\"*\"o%u%",
"AttributeTargets",
"NoMem",
"nativestringlen",
"'(([^']|'')*)'",
"System.Runtime.Serialization",
"LogPreBind",
"Nullable`1",
"get_IsAlive",
" note({0})",
"set_SyncMode",
"CopyNativeModule",
"newName",
"Binding statement {0} paramter #{1} as type {2} with value {{{3}}}...",
"UseUTF16Encoding",
"yyyy-MM-dd HH:mm:ssK",
"ReturnInt64",
"get_DbParameterCollection",
"SQLite {0} ({1}): {2}",
"FallbackGetErrorString",
"INDEX_CATALOG",
"DOMAIN_CATALOG",
"TypeToDbType",
"nativeModule",
"SELECT [type], [name], [tbl_name], [rootpage], [sql], [rowid] FROM [{0}].[{1}] WHERE [type] LIKE 'trigger'",
"Detected {0}-bit pointer size with processor architecture \"{1}\", using processor architecture \"{2}\" instead...",
"SuppressUnmanagedCodeSecurityAttribute",
"LegalCopyright",
" 3",
"EnlistTransaction",
"ROLLBACK",
"PtrToStringUni",
" currency",
"CompilerGeneratedAttribute",
"Data Source=:memory:;",
"VARCHAR",
"set_IsValid",
"DefaultTimeout",
"set_DateTimeFormatString",
"ColumnToType",
"get_Uri",
"SetValue",
"RemoveAt",
"SQLiteErrorCode",
" bool",
"VisibleFieldCount",
"SQLiteConvert",
"ReRegisterForFinalize",
"Utf8Encoding",
"v2.0.50727",
"#Strings",
"System.Collections.Generic",
"U'System.Data.SQLite.SynchronizationModes",
"SQLiteValue",
"style",
"collection",
"MinimumScale",
"sqlite3_shutdown",
"STRING",
"Replace",
"{0:x2}",
"DataReader has been closed",
"Database must be opened before changing the password.",
"TypeCode",
"GetAssemblies",
"DataSourceProductName",
"result",
"set_Item",
"get_CatalogLocation",
"ColumnSize",
"UNSIGNEDINTEGER32",
"Password",
"xUpdate",
"indexString",
"IndexName",
"RemoveHandler",
"value__",
"BaseCatalogName",
"xRollback",
"@param{0}",
"CommandType",
"SchemaTableColumn",
"_context",
"SQLiteDefineConstants",
"param",
"DomainUnload",
"get_DeleteCommand",
"sqlite3_bind_text16",
"throwError",
"DestroyOrDisconnect",
"ResizePool",
"dataType",
"authorization denied",
"DllImportAttribute",
"MoveNext",
"UInt32",
"CLUSTERED",
"BEGIN",
" guid",
"_dbtypeToType",
"NoExtensionFunctions",
"GetStringFromObject",
"set_CommandText",
"_destDb",
"cSystem.Data.SQLite.Linq, PublicKey=002400000480000094000000060200000024000052534131000400000100010005a288de5687c4e1b621ddff5d844727418956997f475eb829429e411aff3e93f97b70de698b972640925bdd44280df0a25a843266973704137cbb0e7441c1fe7cae4e2440ae91ab8cde3933febcb1ac48dd33b40e13c421d8215c18a4349a436dd499e3c385cc683015f886f6c10bd90115eb2bd61b67750839e3a19941dc9c",
"Binding statement {0} paramter #{1} as NULL...",
" oleobject",
"get_BaseDirectory",
" 4",
"Assembly",
"typeName",
"StatementSeparatorPattern",
"CommandBehavior",
"keylen",
"UpdateCommand",
"get_CompareInfo",
"System.Reflection",
"Cache Size",
" longtext",
"FromHexString",
"set_IndexString",
"RefreshProperties",
"_connectionState",
"SetErrorTooBig",
"CollationEncodingEnum",
"Warning",
"_fieldTypeArray",
" nvarchar({0})",
"Columns",
"DataRowVersion",
"Int64",
"ClearAllPools",
"get_ModuleName",
"ColumnAffinity",
"get_CurrentCulture",
"GetCustomAttributes",
"stepNumber",
"GetInsertCommand",
"sqlite3_open16_interop",
"Bind_DateTime",
" 2",
"IList`1",
"IntPtr",
"DeleteCommand",
"dtLen",
"op_Implicit",
"get_IsolationLevel",
"sqlite3_changes_interop",
" image",
"idxStr",
"_sourceColumn",
"GetBoolean",
"set_Declared",
"M0d0i",
"object",
"SQLiteConnection",
"CursorEndOfEnumeratorError",
"pContext",
"get_SyncMode",
"set_ToFullPath",
"IEqualityComparer",
"Utf8IntPtrArrayFromStringArray",
"GetExecutingAssembly",
"remove_Update",
"SQLiteConfigOpsEnum",
"INTEGER",
"IsFixedPrecisionScale",
"constraint",
"Custom",
"Connection",
"get_SelectCommand",
"_updatingEventPH",
" 8",
" logical",
"interval",
"CARDINALITY",
"DbTypeToNumericScale",
"EditorBrowsableAttribute",
"_throwOnDisposed",
"xRelease",
"DbTypeToNumericPrecision",
"_rollbackCallback",
"sqlite3_enable_load_extension",
"GetSchemaTable",
"_tempmasterdb",
"_commitHandler",
"sqlite3_column_double",
"get_UpdatedRowSource",
"get_TotalSeconds",
"StepBackup",
"_rollbackHandler",
"get_DateTimeFormatString",
" 1",
"set_SourceVersion",
"DefaultDateTimeFormatString",
"methodName",
"CursorFromIntPtr",
"ToHexadecimalString",
" Indexes",
"passwordBytes",
"Database connection not valid for getting maximum memory used.",
"Failed to initialize logging.",
"get_ServerVersion",
"GroupByBehavior",
"GetLastWin32Error",
"OrderByConsumed",
"Column",
"DbCommandBuilder",
"DataRowCollection",
"CURRENCY",
"sqlite3_busy_timeout",
"CHARACTER_SET_CATALOG",
"StartsWith",
"sourceFile",
"p2len",
"System.IO",
"resourceMan",
"provider",
"Values",
"OutAttribute",
"ReadInt32",
"set_BaseSchemaName",
"GetDouble",
"iColumn",
"Remove",
"set_SourceColumnNullMapping",
"remove_DomainUnload",
"_traceHandler",
"Rename",
" uniqueidentifier",
"Format",
"NameValueCollection",
"Journal Mode",
"PRAGMA [{0}].table_info([{1}])",
"Prepare",
"cache size",
"NewCommand",
"Unable to enlist in transaction, it is null",
" double",
"FileIOPermissionAttribute",
"SetError",
"Statement {0} paramter index of name {{{1}}} is #{2}.",
"SetLogCallback",
"ArgumentException",
" 6",
"AssemblyCompanyAttribute",
"SQLiteUpdateEventHandler",
"IdentifierCase",
"DisplayNameAttribute",
"StateChangeEventHandler",
"DllFileExtension",
"",
"IDataReader",
"Keywords",
"get_HasRows",
"sqliteBase",
"BindingFlags",
"sqlite3_vtshim_init",
"enlistment",
"System.Data.SQLite.SR.resources",
"sqlite3_cursor_rowid_interop",
" false",
"sqlite3_backup_step",
"RuntimeFieldHandle",
"_errorMessages",
"add_RowUpdating",
"typedefs",
"GetParamValueBytes",
"enumerable",
"yyyy-MM-ddTHH:mm:ss.FFFFFFFK",
" 16",
"SQLITE_CONFIG_NONE",
"System.Data",
"yyyyMMddHHmmssK",
"ExtendedResultCode",
"Int16",
"pError",
"SQLiteVirtualTableCursorEnumerator",
"_activeStatement",
"FunctionType",
"PreventNativeAccess",
"Consistency",
"GetData",
"get_Size",
"preparingEnlistment",
"Caught exception in \"Invoke\" method: {0}",
"Destination database is not open.",
"Disconnect",
"CONSTRAINT_NAME",
"AssemblyTitleAttribute",
"zFormat",
"get_Enabled",
"NonQuery",
" System.Guid",
"CompareOptions",
"Dictionary`2",
"StringLiteralPattern",
"CreateNativeModuleImpl",
"DisposeModule",
"Dispose",
"set_CatalogLocation",
"get_DisplayName",
"parameterOrdinal",
"sqlite3_value_bytes",
"get_Keys",
"Bind_UInt32",
"Queue`1",
"virtual table \"{0}\" is read-only",
"hashCode",
"Shutdown",
"IsAutocommit",
"DataColumn",
"sqlite3_column_origin_name16_interop",
"LogMessage",
"_disposing",
"nType",
"DataSource",
"IsInvalid",
"maxPoolSize",
"NextRowIndex",
"FKEY_ID",
"System.Security.Permissions.FileIOPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
" System.Decimal",
"NumberStyles",
"remove_RowUpdating",
"sqlite3_backup_finish_interop",
"CallingConvention",
"file://",
"UNIQUEIDENTIFIER",
"UpdateRowSource",
"_typecodeAffinities",
"fieldCount",
"closeCount",
"tblName",
"ReturnDouble",
"RegisterFunction",
"managed table for {0} not found",
"procName",
"sqlite3_memory_used",
"'#(Z(w(",
"SQLiteCallback",
"yyyy-MM-ddTHH:mm:ss",
"The connection handle is null.",
" 4",
" time",
"ToOADate",
"get_DataSource",
"InvokeMember",
"Marshal",
"OnRowUpdating",
"ColumnDatabaseName",
"_CompareFunc",
"MapParameters",
"GetUtf8BytesFromString",
" false",
"destroyModule",
"SetTypes",
"The connection is not open.",
"_sqlite_stmt",
"DebuggingModes",
"Changes",
"DebuggerNonUserCodeAttribute",
"strType",
"ParseExact",
"StringReader",
"JournalMode",
"ownHandle",
"sqlite3_memory_highwater",
" false",
"Internal",
" numeric",
"AggregateCount",
"StructLayoutAttribute",
"sqlite3_value_int",
"Views",
"format",
"destCnn",
"SizeOf",
"ReadDouble",
" string({0})",
"Max Page Count",
"SetPassword",
"SetLoadExtension",
".-/-54@?A?LKMKNKOKPKQKRKSKTKUKVKWKXKYKZK[K\\K]K^K_K`KaKbKcKdKeKfKgKhKiK",
"set_Locale",
"NULL_COLLATION",
"DesignerVersion",
"VARCHAR2",
"get_NewLine",
"INITIALLY_DEFERRED",
"ViewColumns",
"Foreign Keys",
"VersionNumber",
"LiteralPrefix",
"AssemblyFileVersionAttribute",
"System.Threading",
"CATALOG_NAME",
"DefaultReadOnly",
"Caught exception in \"Compare\" (UTF16) method: {0}",
"ExpandFileName",
"PRAGMA legacy_file_format={0}",
"ResetConnection",
"DefaultFullUri",
"needToFreeIdxStr",
"set_SchemaSeparator",
"Enlist",
"AppDomain",
"Invalid ConnectionString format for part \"{0}\", no equal sign found",
"Schema_Views",
"GetChar",
"PageCountBackup",
"ClearDataReader",
"LogEventHandler",
"SQLiteBackup",
"AddSeconds",
"_data",
"sqlite3_column_int",
"fulluri",
"sqlite3_column_database_name_interop",
"parameterSize",
"set_SelectCommand",
"3System.Resources.Tools.StronglyTypedResourceBuilder",
"set_Password",
"nConstraint",
"endOfEnumerator",
"DefaultToFullPath",
"Hashtable",
"Force_SQLiteLog",
"FKEY_TO_TABLE",
" counter",
"CreateFunction",
"ConnectionEventArgs",
"IsReadOnly",
"SchemaTable",
"SetupSQLiteBase",
"xDestroy",
"SQLiteMarshal",
"EnlistmentOptions",
"SQLITE_CONFIG_SCRATCH",
"get_LastInsertRowId",
"ToUpper",
" Catalogs",
"get_Columns",
"COLUMN_FLAGS",
"op_Inequality",
"DefaultValueAttribute",
"Schema",
"PropertyDescriptorCollection",
"Source database is not open.",
"ProviderDbType",
"SQLite",
"columnName",
"openCount",
"GCHandleType",
"StringComparison",
"get_CanRaiseEvents",
"set_CommandTimeout",
"SchemaSeparator",
"set_NeedToFreeIndexString",
"parentToColumns",
"Execute",
"VIEW_COLUMN_NAME",
"&!8,T-X1`4b>c?gAhDiFjGsHzI{J~j",
"Combine",
"yyyy-MM-dd HH:mm:ss",
"USE_PREPARE_V2",
"MapUriPath",
"TryParseByte",
"seconds",
"ColumnType",
"ConvertParams",
"HexPassword",
"Bind_ParamCount",
"catalog",
"xRollbackTo",
"Execution was aborted by the user",
"aConstraint",
"ParameterMarkerFormat",
"Object",
"remove_Log",
"BIGINT",
" nchar",
"UTF16LE",
"attempt to write a readonly database",
"Refresh",
"get_Message",
"OnRowUpdated",
"directory",
"wantUniqueInfo",
"module",
"GetBlob",
"DefaultLogErrors",
"newState",
"Schema_Indexes",
"sqlite3_context_collcompare_interop",
"Binary",
"strCatalog",
"GetDateTime",
"get_FieldCount",
"U(System.Data.SQLite.SQLiteJournalModeEnum",
"sqlite3_bind_double",
"nAffinity",
"CheckValidRow",
"sqlite3_file_control",
"GetSQLiteDbTypeMap",
"ObsoleteAttribute",
"TABLE_ROOTPAGE",
"Concat",
"get_Unicode",
" IndexColumns",
"TypeNameToDbType",
"pages",
"DbConnectionStringBuilder",
"add_Log",
"connection handle is still active",
"_poolVersion",
"SQLITE_",
"pClientData",
"InitializeForReader",
"OperatingSystem",
"arguments",
"buffer",
"dataBase",
"TypeDescriptor",
"nativeHandle",
"GetDeleteCommand",
"no table was created",
" smallint",
"sqlite3_commit_hook",
"SQLite.Designer.SQLiteConnectionStringEditor, SQLite.Designer, Version=1.0.88.0, Culture=neutral, PublicKeyToken=db937bc2d44ff139uSystem.Drawing.Design.UITypeEditor, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",
" varbinary",
"sqlite3_index_constraint",
"_CorDllMain",
"#Blob",
"ReadWrite",
"AddRange",
" System.Single",
"Unable to enlist in transaction, a local transaction already exists",
"BindAndGetAllAsText",
" 3",
"LoadLibrary",
"System.Data.SQLite.Generic",
"THHmmssK",
"CloseConnectionV2",
"SQLiteParameter",
"Schema_DataTypes",
"baseschemaname",
"Read Only",
"SQLITE_CONFIG_GETMALLOC",
"get_Table",
"isolationLevel",
"UnmanagedFunctionPointerAttribute",
"DATETIME_PRECISION",
"set_UseUTF16Encoding",
"resultCodes",
"No current row",
"logErrors",
"SetNull",
"$$method0x6000018-1",
"sqlite3_errcode",
"Abort",
"ISQLiteNativeHandle",
"_commitCallback",
" System.Double",
"DefaultUri",
"_enabled",
"failifmissing",
"add__updateHandler",
"set_Name",
"DbDataReader",
"EndInvoke",
"UTF8ToString",
"Clone",
"IS_DEFERRABLE",
"Failed to load native SQLite library \"{0}\" (getLastError = {1}): {2}",
"RowUpdatingEventHandler",
"strSql",
"constraint failed",
" time",
"SQLiteModuleEnumerable`1",
"get_BigEndianUnicode",
"zDbName",
"_transaction",
"fstep",
"AUTOINCREMENT",
"(([^\\[]|\\]\\])*)",
"ptrDataType",
"not an error",
"enable",
"IndexOfAny",
"Database connection not valid for getting last insert rowid.",
"ParameterDirection",
" true",
"JulianDay",
"$$method0x60001e2-1",
"CollationSequence",
"sqlite3_win32_set_directory",
"Default Timeout",
"FormatDateTime",
"MinimumVersion",
"get_Outputs",
"IsUnique",
"backup",
"FKEY_FROM_COLUMN",
"SQLiteLog",
"legacy format",
":4:C:M:h:",
"DefaultVersion",
"database table is locked",
"sqlite3_reset_interop",
"SQLiteUpdateCallback",
"data source",
"GetMethodResultCode",
"DataTypeName",
"ExecuteReader",
"EventHandlerList",
"Collation",
"CheckClosed",
"get_BinaryGUID",
"offset",
"LiteralSuffix",
"GetLastError",
"zErrMsg",
"ConvertFrom",
"RuntimeHelpers",
"{0}{1}{2}",
" 1",
"_sourceDb",
"_datetimeFormatLocal",
"Bind_Double",
"Schema_ForeignKeys",
" date",
"Boolean",
"Truncate",
"ConstraintUsages",
" 10",
"add_StateChange",
"SQLiteType",
"tables",
"sqlite3_bind_int64",
"ticks",
"_fileName",
"set_HexPassword",
"System.Security",
"'t-99",
"set_LogExceptionsNoThrow",
"FILL_FACTOR",
"_poolClosed",
"totalPages",
"AssemblyDescriptionAttribute",
"NextResult",
"DefaultSynchronous",
"MaxPoolSize",
"pvUser",
"sqlite3_column_table_name_interop",
"pMessage",
"newPasswordBytes",
"ChangeType",
"Microsoft.VSDesigner.Data.Design.DBParametersEditor, Microsoft.VSDesigner, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3auSystem.Drawing.Design.UITypeEditor, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",
"SetInt",
"lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet",
"INTEROP_CODEC",
"ReadByte",
"get_Ticks",
"_registeredFunctions",
"SQLiteIndexConstraintOp",
"DbParameter",
"StateChangeEventArgs",
"get_MemoryHighwater",
"Database connection not valid for binding functions.",
"sqlite3_result_double",
"get_State",
"MapParameter",
"InitializeDefaultHandler",
"get_Attributes",
"AppendFormat",
"dateText",
"GetFieldType",
"Declared",
"CommitCallback",
"Filter",
"yyyy-MM-dd",
"8G9c9l9r9",
"op_Equality",
"string value to split cannot be null",
"get_InstanceType",
"database disk image is malformed",
"_CompareFunc16",
"FalseString",
"DefaultFlags",
"GetIndexColumnExtendedInfo",
"cnnString",
"get_MetaDataCollections",
"get_DateTimeFormat",
"get_DefaultIsolationLevel",
"FieldCount",
"LogBind",
" 2 < G N S ` d m | ",
"near \"TYPES\": syntax error",
"ResultCodeToEofResult",
"sqlite3_overload_function",
"sqlite3_libversion_number",
"ParamArrayAttribute",
"set_DefaultTimeout",
"declared",
"ToByte",
"Invalid Default IsolationLevel specified",
" int",
"DefaultPassword",
"BindUInt32AsInt64",
"usePool",
"get_UTF8",
"RowUpdated",
"ToIntPtr",
"commandText",
"tofullpath",
"ToString",
"ApplyParameterInfo",
"COLUMN_HASDEFAULT",
"",
" binary",
"get_UseUTF16Encoding",
"get_OrderBys",
"SQLite.Designer.SQLiteDataAdapterToolboxItem, SQLite.Designer, Version=1.0.88.0, Culture=neutral, PublicKeyToken=db937bc2d44ff139",
"DataSourceProductVersionNormalized",
"TooBig",
"SQLITE_CONFIG_GETPCACHE",
"Enlistment",
"get_Values",
"SetAvRetry",
"get_Culture",
"MaximumVersion",
"remove__traceHandler",
"idxNum",
"SByte",
"Destination connection has no wrapper.",
"disabling",
"System.Data.SQLite.SQLiteCommand.bmp",
"GreaterThan",
" DataSourceInformation",
"get_OrdinalIgnoreCase",
"DefaultPooling",
"ParameterNameMaxLength",
"PRAGMA database_list",
"No transaction is active on this connection",
"UTF16ToString",
"query",
"NewTransaction",
"DefaultIsolationLevel",
"zSourceName",
" integer",
"set_InsertCommand",
"set_Size",
"sourceColumnNullMapping",
"IsValid",
"ISQLiteConnectionPool",
" ReservedWords",
"value was not persisted",
"q0d0i",
"get_Flags",
"get_InvariantInfo",
"sqlite3_value_int64",
"GetFlags",
"Inputs",
"BeginDbTransaction",
"DATE_MODIFIED",
"ClearPool",
"System.Data.SQLite.SQLiteDataAdapter.bmp",
"ResetDbType",
" true",
"nativestring",
"Cannot set Connection while a DataReader is active",
" counter",
"GetOrdinal",
"sqlite3_db_filename",
"needToFreeIndexString",
"Indexes",
"AllowDBNull",
"strCollation",
"newPassword",
"FOREIGN KEY",
"set_DeleteCommand",
"RowUpdatedEventArgs",
"4.0.0.0",
"Caught exception in \"Step\" method: {1}",
"sqlite3_load_extension",
"BIGUINT",
"_password",
"Inherited",
"SQLiteLogCallback",
"BindFunction",
"SQLiteCommand",
"IsUnsigned",
"_paramValues",
"sqlite3_bind_text",
"connectionString",
"_traceCallback",
"U(System.Data.SQLite.SQLiteConnectionFlags",
" general",
"ZeroTable",
"no function was created",
"totalCount",
"sqlite3_result_zeroblob",
"SQLITE_CONFIG_PCACHE",
" long",
"_InvokeFunc",
"Single",
"NULLS",
"Direction",
"set_FullUri",
"System.Data.SQLite.SQLiteConnection.bmp",
"get_Name",
" ntext({0})",
"Create",
"add__commitHandler",
"get_LogExceptions",
"EditorAttribute",
"DisposeModules",
"add__traceHandler",
"strView",
"ToBoolean",
"WriteInt32",
"System.Data.SQLite Core",
"EditorBrowsableState",
"System.CodeDom.Compiler",
" identity",
"ScalarCallback",
"Double",
"IS_NULLABLE",
"ToJulianDay",
"CacheSize",
"SQLITE_CONFIG_MUTEX",
"COLUMN_NAME",
"FK_{0}_{1}_{2}",
"max page count",
"LogBackup",
"get_Direction",
"_keyInfo",
"BindFunctions",
" autoincrement",
" ForeignKeys",
"Bind_ParamIndex",
"Clear",
"zName",
"get_FailIfMissing",
"UpdatedRowSource",
"add_Commit",
"RowId",
"GetObjectData",
"set_NativeHandle",
"InternalName",
"SQLiteIndex",
"FOREIGNKEYS",
"sqlite3_result_error_code",
"ToLowerInvariant",
"database or disk is full",
"GetParamValueInt64",
"ComVisibleAttribute",
"AllocHGlobal",
" false",
"get_DbTransaction",
"Cleanup",
"ResultCodeToFindFunctionResult",
"TableToIntPtr",
"get_Rows",
"CatalogSeparator",
"IsNull",
"GetBaseDirectory",
"NoCreateModule",
"Microsoft.VSDesigner.Data.Design.DbConnectionEditor, Microsoft.VSDesigner, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3auSystem.Drawing.Design.UITypeEditor, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",
"GetText",
"resourceCulture",
"large file support is disabled",
"HH:mm:ss.FFFFFFFK",
"_fieldIndexes",
"Error",
"get_LogErrors",
"GetRowIdForCursor",
"newTypeName",
"Public Domain",
"sqlite_master",
" identity",
" memo({0})",
"IsLiteralSupported",
"ReadOnly",
"nTimeoutMS",
"GetProperties",
"NoBindFunctions",
"MONEY",
"CHECK_STATE",
"connection has an invalid handle",
"strColumn",
"Invalid connection string: invalid URI",
"DATASOURCEINFORMATION",
"OrderByColumnsInSelect",
"IsOpen",
"sqlite3_column_count",
"_datetimeFormats",
" int",
"datatype mismatch",
"TypeToAffinity",
"ColumnName",
"Pooling",
"formatString",
"processorArchitecture",
"Count",
"get_FullUri",
"System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"Invoke",
"set_DesignTimeVisible",
"AddDefaultHandler",
" 1",
"Only SQLite Version {0} is supported at this time",
"Database connection not active.",
"DateTimeStyles",
"DefaultFailIfMissing",
"DbParameterCollection",
"SetMemoryStatus",
"get_SourceColumnNullMapping",
"sqlite3_errmsg_interop",
"Backup object has an invalid handle pointer.",
"sqlite_default_schema",
"zSQLite.Designer.SQLiteCommandDesigner, SQLite.Designer, Version=1.0.88.0, Culture=neutral, PublicKeyToken=db937bc2d44ff139",
"Binding statement {0} paramter #{1} with database type {2} and raw value {{{3}}}...",
"xColumn",
"get_QuotePrefix",
"set_BinaryGUID",
"$$method0x6000603-1",
"parameterType",
"get_Chars",
"_defaultHandler",
"FILTER_CONDITION",
"enlist",
"SORT_BOOKMARKS",
"set_ForeignKeys",
"GetEnumerator",
"string contains an odd number of characters",
"PAGES",
"System.Data.SQLite",
"failed to initialize backup",
"SQLiteModuleEnumerable",
" string",
"functions",
"CreateOrConnect",
"Creating modules is disabled for this database connection.",
"DbTypeToType",
"pCursor",
"COLLATION",
"get_CurrentDomain",
"Empty",
"INITIAL_SIZE",
"sqlite3_result_int",
"GetParamValueText",
"TABLE_NAME",
"Alloc",
"isNullable",
"ModuleNameIndex",
"parameter",
"Database connection not valid for logging message.",
"ExecuteDbDataReader",
"GetInt32",
"Subtract",
"yyyyMMdd",
"_callback",
"sqlite3_column_database_name16_interop",
"IsolationLevel",
"collationSequence",
"InitializeArray",
"fileName",
"Connection was closed",
" 6k(q",
"pointer",
"_updateRowSource",
"DbMetaDataColumnNames",
"Bind_Null",
"Corrupt",
"param1",
"syncRoot",
"nRemain",
"PRAGMA page_size={0}",
"_updateCallback",
"parseViaFramework",
"Preparing {{{0}}}...",
"ResultCode",
"invalid SQL statement",
"PasswordPropertyTextAttribute",
"EventType",
"sqlite3_open_interop",
"sqlite3_bind_null",
"strFilename",
"SpecifyKind",
"SQLiteRollbackCallback",
"_SQLiteModule",
" bit",
"SyncRoot",
"Connection object has an invalid handle.",
"get_DateTimeKind",
"TABLE_CATALOG",
"closed or invalid connection handle",
"ClearCommands",
"DefaultJournalMode",
"rowVersion",
"BaseTableName",
"add_RollBack",
"string is null or empty",
"PreLoadSQLite_UseAssemblyDirectory",
"SQLiteIndexOrderBy",
"resultCode",
"TextReader",
"DESCRIPTION",
"LogAll",
"Uninitialized",
"IoErr",
"Outputs",
"QuotedIdentifierPattern",
"strIndex",
"get_ForeignKeys",
"CHECK_OPTION",
"Failed to shutdown logging.",
"DefaultDateTimeKind",
"onError",
"get_IsReadOnly",
"NUMERIC_PRECISION",
"sqlite3_column_bytes",
" ",
"DefaultConnectionTimeout",
"sqlite3_rollback_hook",
"deferredLock",
"CONFLICT_OPTION",
"DateTimeFormat",
"Reverse",
"get_ConnectionString",
"_paramNames",
"Schema_Triggers",
"SQLiteIndexConstraintUsage",
"Schema_ReservedWords",
"Data Source",
"get_Parameters",
"ProviderSpecificDataType",
"DefaultBinaryGUID",
"IsDefaultAppDomain",
"sqlite3_bind_parameter_index",
".ctor",
"set_Enabled",
"IsNullable",
"aConstraintUsage",
"Bind_UInt64",
"FixUpDllFileName",
"rootPage",
"estimatedCost",
"No_SQLiteConnectionNewParser",
"CommandTimeout",
"GetTypeCode",
"connection",
"sqlite3_open16",
"SELECT * FROM [{0}].[{2}] WHERE [type] LIKE 'index' AND [tbl_name] LIKE '{1}'",
"ReturnInt32",
"AsyncCallback",
"HH:mm:ssK",
"BindParameter",
"returnValue",
"sqlite3_backup_init",
"",
"System.Collections.Generic.IEnumerator.get_Current",
"AssemblyVersionAttribute",
"paramName",
"SELECT * FROM [{0}].[{1}] WHERE [type] LIKE 'table' OR [type] LIKE 'view'",
"func16",
"DefaultMaxPoolSize",
"bufferoffset",
"FileControl",
"SQLiteConnectionPool",
"FileVersion",
"002400000480000094000000060200000024000052534131000400000100010005a288de5687c4e1b621ddff5d844727418956997f475eb829429e411aff3e93f97b70de698b972640925bdd44280df0a25a843266973704137cbb0e7441c1fe7cae4e2440ae91ab8cde3933febcb1ac48dd33b40e13c421d8215c18a4349a436dd499e3c385cc683015f886f6c10bd90115eb2bd61b67750839e3a19941dc9c",
"sqlite3_column_table_name16_interop",
"get_Password",
" bool",
"_masterdb",
"behavior",
"get_DataTypes",
"RowUpdatingEventArgs",
"IsNullOrEmpty",
"get_QuoteSuffix",
"create",
"get_Arguments",
"argsptr",
" 5",
"AUTO_UPDATE",
"SQLITE_CONFIG_LOG",
"sqlite3_dispose_module",
"FailIfMissing",
"_activeStatementIndex",
"122<2s3",
"IsBestMatch",
"_dbtypetocolumnsize",
"LogModuleError",
"PoolCount",
"sqlite3_result_error_toobig",
"IsAutoIncrementable",
"_dbtypetonumericscale",
"reverse",
"FKEY_TO_COLUMN",
"strict",
"Contains",
"ToInt16",
"get_Assembly",
"NET_20",
"_updatedEventPH",
"sqlite3_free",
"GetHashCode",
"AddValue",
"AppendSchemaTable",
"LogErrorsNoThrow",
" 3",
"set_Enlist",
"library routine called out of sequence",
"FKEY_TO_SCHEMA",
"PublicKey",
"DATATYPES",
"DateTimeFormatInfo",
"UNSIGNEDINTEGER",
"OnStateChange",
"SetMethodResultCode",
"xCommit",
" timestamp",
"sqlite3_libversion",
"failed to persist one or more values",
"FinalCallback",
"add_RowUpdated",
"sourceText",
"sqlite3_value_blob",
"previous",
"ULONG",
"destroy",
"SQLITE_CONFIG_SINGLETHREAD",
"Int64BitsToDouble",
"PRAGMA cache_size={0}",
"_enlistment",
"source",
"Update",
"_disposeCommand",
"BackupDatabase",
"ChangePassword",
"xSavepoint",
"get_IndexNumber",
"Destination connection has an invalid handle.",
"_disposeConnection",
"SQLiteModule",
"value",
"_instanceType",
"@[\\p{Lo}\\p{Lu}\\p{Ll}\\p{Lm}_@#][\\p{Lo}\\p{Lu}\\p{Ll}\\p{Lm}\\p{Nd}\\uff3f_@#\\$]*(?=\\s+|$)",
"PreparingEnlistment",
"get_Keywords",
"set_Version",
"ColumnParent",
"_stmt",
"FinalizeStatement",
"_defaultIsolation",
"SetInt64",
"IsKey",
"*.+?+g+m+",
"set_SetDefaults",
"sqlite3_value_double",
"Table",
"database is locked",
"CreateDisposableModule",
"TABLE_TYPE",
"get_Value",
"Interrupt",
"utf16",
"CloseConnection",
"Database connection not valid for creating modules.",
"SQLiteFunction",
"_syncRoot",
"TrimEnd",
"PRAGMA [{0}].index_info([{1}])",
"IsInitialized",
".cctor",
"xNext",
"get_SchemaSeparator",
"Allocate",
"_rowsAffected",
"Message",
"integer",
"rowIndex",
"Cannot parse 'HexPassword' property value into byte values: {0}",
"Schema_ViewColumns",
"iErrCode",
"enabling",
"remove_RollBack",
"destinationName",
"COLUMN_DEFAULT",
"AltDirectorySeparatorChar",
"GreaterThanOrEqualTo",
"iVersion",
"get_Target",
"yyyy-MM-dd HH:mm:ss.FFFFFFFK",
"EventHandler`1",
"no connection handle available",
"Constraint",
"System.Collections",
"LogCallbackException",
"Instance",
"TryPersistValues",
" 19",
"Aggregate",
"Scalar",
"SQLiteOpenFlagsEnum",
"get_EndOfEnumerator",
"get_DatabaseName",
"HasSchemaPrimaryKey",
"Final",
"Queue",
"Persist",
"ReflectionTypeLoadException",
"SQLiteSourceId",
"[{0}].",
"COLUMNS",
"csLen",
" blob",
"sqlite3_malloc",
"sqlite3_bind_blob",
"IsExpression",
"SupportedJoinOperators",
"RowUpdating",
"SetDouble",
"ArrayFromSizeAndIntPtr",
"SetRollbackHook",
"declareSql",
"TABLE_DEFINITION",
"DefaultMemberAttribute",
"sqlite3_column_decltype_interop",
"dateTimeValue",
"eventType",
"SQL logic error or missing database",
" text",
"LogModuleException",
"KeepAlive",
"UNSIGNEDINTEGER8",
"NeedToFreeIndexString",
"DefaultValue",
"set_JournalMode",
"Memory",
" autoincrement",
"CreateModule",
"SQLITE_CONFIG_LOOKASIDE",
"VIEW_NAME",
"xFindFunction",
"ICloneable",
"set_ConnectionPool",
"argumentCount",
"get_SQLiteVersion",
"ToHexString",
"get_DefaultTimeout",
"nDataOffset",
"System.Security.Permissions.FileIOPermissionAccess, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"interrupted",
"set_CommandType",
"sqlite3_create_disposable_module",
"FKEY_FROM_ORDINAL_POSITION",
"Unknown",
"enumerator",
"whereClause",
"GCHandle",
"ReadIntPtr",
"IAsyncResult",
"sqlite3_result_value",
"LoadExtension",
"AddrOfPinnedObject",
"strTable",
"DOUBLE",
"XT+m~",
"separator",
"canThrow",
"ConditionalAttribute",
"retry",
"command",
"function",
"ColumnMetaData",
"OLEOBJECT",
" general",
"nArgs",
"VIEW_SCHEMA",
"USE_INTEROP_DLL",
"StructureToPtr",
"schema",
"CursorTypeMismatchError",
"DefaultHexPassword",
"AbortTransaction",
"DeclareVirtualTable",
"remainingPages",
"UINT32",
"IsDBNull",
"DateTime",
"precision",
"LessThan",
" * Written by Robert Simpson (robert@blackcastlesoft.com)",
"Enabled",
" ADO.NET Data Provider for SQLite",
"@.reloc",
"DeclareVirtualFunction",
"Ticks",
"AggregateData",
"unquotedIdentifier",
" binary",
"get_Version",
"GetCollationSequence",
"set_CatalogSeparator",
"_connectionString",
"NumberOfRestrictions",
"get_CommandType",
"GetDirectoryName",
"nSize",
"QuoteIdentifier",
"StringFromUtf8IntPtr",
"Thread",
"get_IsFixedSize",
"InternalsVisibleToAttribute",
"sqlite3_value_type",
"_functions",
"pValue",
"_commandTimeout",
"000004b0",
" integer",
"Culture",
"NUMERIC_SCALE",
"IComparer`1",
"SQLiteVirtualTable",
"TINYSINT",
"TypeName",
"SQLiteModuleNoop",
"_zSourceName",
"orderByConsumed",
"Exchange",
"EndLoadData",
"sqlite3_result_int64",
"Database is not open",
"_defaultTimeout",
"&%&7&O&",
"primary",
"PreLoadSQLite_ProcessorArchitecture",
"behave",
"statementType",
"get_LogErrorsNoThrow",
"unable to open database file",
"SQLITE_CONFIG_MULTITHREAD",
"SQLITE_CONFIG_PAGECACHE",
"nLength",
"triggerName",
" System.String",
"Database",
"TypeAffinity",
"CREATE TABLE {0}(x);",
"sqlite_master_PK_",
"AllowPartiallyTrustedCallersAttribute",
"RemoveDefaultHandler",
"Exception",
"CurrentCulture",
" bit",
"LogExceptions",
"GetInvocationList",
"ListBindableAttribute",
"InvalidRowIndex",
"VIEW_CATALOG",
"FlagsAttribute",
"InvalidOperationException",
"INTEGER8",
"no native cursor was created",
"LogPrepare",
" System.Byte",
"ColumnTableName",
"set_DbTransaction",
"GetBytes",
"_stepResult",
"utf8Filename",
"errMsg",
"YESNO",
"get_ConstraintUsages",
"SQLite3",
"PRAGMA [{0}].index_list([{1}])",
"bDest",
"EndsWith",
"IsAutoIncrement",
"yyyyMMddTHHmmssFFFFFFFK",
"maxSize",
"sqlite3_config_int",
"ToUInt32",
"Cannot convert type {0} to boolean",
"CATALOGS",
"BitConverter",
"SQLiteVersionNumber",
"DefaultConnectionString",
"sqlite3_create_function_interop",
" char",
"GetTypeFromHandle",
" true",
"EventArgs",
"VerifyType",
"NotSupportedException",
"SQLiteString",
"get_Current",
"LOGICAL",
"set_Culture",
"sqlite3_aggregate_count",
"set_Uri",
"GENERAL",
"get_ParameterName",
"Triggers",
"locking protocol",
"_func",
"EnlistVolatile",
"SQLite3_UTF16",
"_typetodbtype",
"HH:mm",
"Parse",
"SQLiteMemory",
")F)b)",
"DeclareTable",
"c:\\dev\\sqlite\\dotnet\\obj\\2005\\Release\\System.Data.SQLite.pdb",
"IsFixedLength",
"CHARACTER_SET_SCHEMA",
"StringFileInfo",
"virtual table cursor is closed",
" 0",
"sqlite_temp_master",
" yesno",
"SetCommitHook",
" 0",
"get_AutoCommit",
"set_DateTimeKind",
"rowId",
"Reset",
"FindKey",
"GetCounts",
"SQLiteConnectionFlags",
"sqlite3_step",
"DataType",
"yyyy-MM-ddTHH:mm",
"EndOfEnumerator",
"changes",
"SQLiteMetaDataCollectionNames",
"get_MaxPageCount",
"SQLiteTraceCallback",
"get_TypeDefinitions",
"BinaryGUID",
"GetParameter",
"set_EstimatedCost",
"ColumnCount",
"sqlite3_close_interop",
" true",
" money",
" false",
"get_BaseSchemaName",
"get_CommandText",
"sqlite3_table_cursor_interop",
"pvCallback",
"connectionFlags",
"Equals",
"xFilter",
"SuppressFinalize",
"GetParamValueDouble",
"CompanyName",
"BeginLoadData",
"restrictionValues",
"SQLiteVirtualTableCursor",
"get_ResultCode",
"IsAliased",
"OUse one of the standard BeginTransaction methods, this one will be removed soon",
"TRACE_WARNING",
"CheckDisposed",
"sqlite3_update_hook",
"Caught exception in \"Compare\" (UTF8) method: {0}",
"LogEventArgs",
"get_LegacyFormat",
"SyncMode",
"SourceVersion",
"yyyy-MM-dd HH:mm",
"invalid native table",
"remove__rollbackHandler",
"_fieldCount",
"Command",
"sqlite3_bind_parameter_name_interop",
"Schema_Columns",
"StepCallback",
"CommitEventArgs",
"sqlite3_result_error16",
"_unboundFlag",
"_FinalFunc",
"_baseSchemaName",
"notNull",
"sqlite3_trace",
" 1",
"Source connection has an invalid handle.",
"Schema_MetaDataCollections",
"ThirtyBits",
"sqlite3_column_name_interop",
"GetValue",
"ExecuteNonQuery",
"set_PageSize",
"Enqueue",
"IdentifierPattern",
"SQLiteFinalCallback",
"sqlite3_index_info",
"get_OrderByConsumed",
"MaximumScale",
"AllocateTable",
"get_CacheSize",
"alignment",
"xConnect",
"get_Count",
"Substring",
"Finalize",
"CHARACTER_OCTET_LENGTH",
"FallbackGetProperties",
"ignoreCase",
"SORT_MODE",
"julianDay",
"BaseSchemaName",
"journal mode",
"ToDecimal",
"get_Changes",
"Check",
"DataDirectory",
"_handlers",
"CountPool",
"ValueType",
"keepQuote",
"unknown operation",
"ToFullPath",
"DefaultSetDefaults",
"Delegate",
"GetSByte",
"DataTable",
"Interlocked",
"INDEXCOLUMNS",
"disposed",
"op_Explicit",
"SQLiteVersion",
"EqualTo",
"get_Kind",
"WARNING: Type mapping failed, returning default name \"{0}\" for type {1}.",
"Database connection not valid for getting memory used.",
"_dataDirectory",
"SQLiteBytes",
"constraintUsages",
"_datetimeFormatString",
"nTransient",
"RecordsAffected",
"get_ErrorCode",
"WrapNonExceptionThrows",
" MetaDataCollections",
"DbException",
"GetType",
"_datetimeFormat",
"Virtual table error: {0}",
"get_SQLiteConvert",
"THROW_ON_DISPOSED",
" ********************************************************/",
"CantOpen",
"ReservedWord",
"disposeSelect",
"sqlite3_config_log",
"Closed",
"DataRow",
"set_Flags",
"UINT8",
"sourceName",
"_count",
"System.Globalization",
"_dataSource",
"_reader",
"DefaultEstimatedCost",
"LogExceptionsNoThrow",
"Cannot set CommandText while a DataReader is active",
"_version",
"ReliabilityContractAttribute",
"IntPtrForOffset",
"SELECT * FROM [{0}].[{1}] WHERE [type] LIKE 'view'",
" System.DateTime",
"GetParameterName",
"Version",
" boolean",
"KeyValuePair`2",
"RemainingBackup",
"LONGVARCHAR",
"COUNTER",
"sqlite3_result_null",
"parameterName",
"logExceptions",
"destination",
"SQLiteConnectionEventHandler",
"Database must be opened before changing the AV retry parameters.",
" yesno",
" '",
"orderBys",
"State",
"SetHandle",
"LayoutKind",
"scale",
"DefaultUseUTF16Encoding",
"BindParameters",
"sqlite3_realloc",
"PreLoadSQLite_BaseDirectory",
"_datetimeKind",
"Database connection not valid for {0} extensions.",
"sqlite3_resetall_interop",
"no managed cursor was created",
"StringArrayFromUtf8SizeAndIntPtr",
"table",
"TableFromIntPtr",
"p1len",
"blobData",
"get_IsInvalid",
"NewSplit",
"sqlite3_interrupt",
"set_DataAdapter",
"remove__commitHandler",
"FLOAT",
"disk I/O error",
"ArgumentOutOfRangeException",
"set_ParseViaFramework",
"Bind_Int32",
"GetName",
"The connection handle is invalid.",
"GetValues",
" true",
"GetUInt16",
"IDENTITY",
"_statementList",
"remove_Changed",
"sqlite3_aggregate_context",
"ParameterNamePattern",
"EventHandler",
"StringBuilder",
"PROCESSOR_ARCHITECTURE",
"StringComparer",
"DataSourceProductVersion",
"_scope",
"activeStatement",
"INTEGER16",
"PageSize",
"UNSIGNEDINTEGER64",
"Affinity",
"FreeTable",
"DateTimeKind",
"Destroy",
"Microsoft.VSDesigner.Data.SQL.Design.SqlCommandTextEditor, Microsoft.VSDesigner, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3auSystem.Drawing.Design.UITypeEditor, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",
"get_IsNullable",
"VIEW_DEFINITION",
"GetEnvironmentVariable",
"UnixEpoch",
"SELECT * FROM [{0}].[{1}] WHERE [type] LIKE 'table'",
"managed cursor for {0} not found",
"ToDateTime",
"sqlite3_declare_vtab",
"_nullable",
"DbTypeToTypeName",
"Synchronous",
" 10",
"set_DbConnection",
"destDb",
"sqlite3_column_text16_interop",
"Database connection not valid for loading extensions.",
"get_TickCount",
"get_Inputs",
"",
" System.Byte[]",
"pUserData",
"INTEROP_VIRTUAL_TABLE",
" System.Boolean",
" boolean",
"nbytelen",
"Database connection not valid for checking handle.",
" true",
" datetime",
"Closing",
"databaseFileName",
"native module implementation not available",
"set_IndexNumber",
"CONSTRAINT_SCHEMA",
" real",
"pVTab",
"bOnOff",
"AssemblyConfigurationAttribute",
"GetInt",
"Component",
"IsHidden",
"DATETIME",
"nBytes",
"ffinal",
"RollbackCallback",
"PRAGMA [{0}].TABLE_INFO([{1}])",
"TypeNameStringComparer",
"get_CatalogSeparator",
"get_Events",
"LoadKeyInfo",
"add_Update",
"MaxPageCount",
"errorCode",
"^[\\p{Lo}\\p{Lu}\\p{Ll}\\p{Lm}_@#][\\p{Lo}\\p{Lu}\\p{Ll}\\p{Lm}\\p{Nd}\\uff3f_@#\\$]*(?=\\s+|$)",
"_contextDataList",
"separator character cannot be the escape or quote characters",
"DbConnection",
"sqlite3_column_origin_name_interop",
"FKEY_ON_DELETE",
"SetRowUpdatingHandler",
"SelectCommand",
" guid",
"IsSearchableWithLike",
"WriteDouble",
"IEqualityComparer`1",
" 3",
"NeutralResourcesLanguageAttribute",
" System.Int64",
"sqlite3_config_none",
"IsSynchronized",
"get_ResourceManager",
"unbalanced escape or quote character found",
"param2",
"xClose",
"DateTimeFormatString",
"GeneratedCodeAttribute",
"CreateFormat",
"pMemory",
"_parseViaFramework",
"autoIncrement",
"sqlite3_bind_uint64",
"FullFormat",
"GetChars",
"",
"needCollSeq",
"databasePassword",
"PlatformID",
"set_ReadOnly",
"orderBy",
"SQLITE_CONFIG_SERIALIZED",
"SQLiteStatementHandle",
"sqlite3_create_collation",
"sqlite3_get_autocommit",
"wantDefaultValue",
"NCHAR",
"WARNING: Type mapping failed, returning default type {0} for name \"{1}\".",
"yyyy-MM-ddTHH:mm:ss.fffffffK",
"IsRowVersion",
"CursorToIntPtr",
"direction",
"string contains \"{0}\", which cannot be converted to a byte value",
"sqlite3_open_v2",
"InsertCommand",
" decimal",
" tinyint",
"Increment",
"OrderBys",
"WriteIntPtr",
"get_ConnectionPool",
"SourceColumnNullMapping",
"SQLiteDbTypeMap",
"BestIndex",
"DbTypeToColumnSize",
" 2147483647",
"/********************************************************",
"No_PreLoadSQLite",
"",
"get_DbType",
"System.Data.SQLite.SR",
"CopyTo",
"ColumnOrdinal",
"_datetimeFormatUtc",
"ResetIsUniqueSchemaColumn",
"_argumentCount",
"DECIMAL",
"GetInt64",
"System.Diagnostics",
"SMALLINT",
"TypeConverterAttribute",
"PtrToStringAnsi",
"get_Enlist",
"SetCursorError",
" 16",
"SynchronizationModes",
"values",
"openFlags",
"ProbeForUtf8ByteLength",
"AggregateContext",
"pIndex",
"GetPlatformName",
"SQLiteBase",
"sqlite3_extended_errcode",
"connectionPool",
"CLSCompliantAttribute",
"file:",
"CompareInfo",
"GetUInt32",
"dbType",
"GetDecimal",
"eventArgs",
"get_PropertyType",
"xRename",
"GetErrorString",
"NUMBER",
"get_VersionNumber",
"ParseConnectionString",
"UkSystem.Data.UpdateRowSource, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"set_DefaultIsolationLevel",
"CollationTypeEnum",
"Y1(oh",
" currency",
"U$System.Data.SQLite.SQLiteDateFormats",
"INT64",
"SQLiteBackupCallback",
"Encoding",
"FreeCursor",
"column",
"constraintUsage",
"colName",
"AddHandler",
"bytes",
"DefaultMaxPageCount",
"TIMESTAMP",
"get_NeedToFreeIndexString",
"SQLITE_DLL",
"VIEWS",
"Dequeue",
"newPrimary",
"SQLiteEnlistment",
"newDataType",
"set_ConnectionString",
"out of memory",
"GetParamValueInt32",
"Data Source cannot be empty. Use {0} to open an in-memory database",
" bigint",
"get_Location",
"TRACE",
"sqlite3_column_int64",
" true",
"SQLiteDbTypeMapping",
"SetErrorCode",
"string or blob too big",
"columns",
"ModuleName",
"OleAutomationEpochAsJulianDay",
"password",
"xRowId",
"_domainUnload",
"BeginTransaction",
"callback requested query abort",
"ParseViaFramework",
"SQLiteDataAdapter",
"Itanium",
"sqlite3_result_text16",
"remove_Trace",
"OriginalFilename",
"sqlite3_key",
"primaryKey",
"Schema_Catalogs",
"LessThanOrEqualTo",
"TryGetValue",
"Already enlisted in a transaction",
"System.Runtime.InteropServices",
"SetHandleAsInvalid",
"get_SyncRoot",
"AutoCommit",
"_flags",
"INDEXES",
"get_Database",
"Parameters",
"EY2Yw",
"SQLiteNativeModule",
"_isValid",
"CollectionName",
"contextData",
"get_Declared",
"ModuleNotAvailableErrorMessage",
"Protocol",
"COMMIT",
"ChangeDatabase",
"set_LogErrors",
"Connection was closed, statement was terminated",
"pooling",
"ModuleNotAvailableTableError",
"SINGLE",
"innerException",
"Enter",
"ToSByte",
"DefaultCacheSize",
"TABLE_ID",
"databaseName",
"SQLiteLogEventHandler",
"INTEGRATED",
"No connection associated with this transaction",
"Comments",
"_sqlStatement",
"NewRow",
"PoolVersion",
"SQLITE_CONFIG_GETMUTEX",
"AddWithValue",
"mscoree.dll",
" DataTypes",
"get_CommandTimeout",
"fmtString",
"statement",
"AssemblyName",
"get_PoolCount",
"set_Value",
"CreateDbCommand",
"ptrRemain",
"UpdateCallback",
" ntext",
"set_Length",
"sqlite3_index_orderby",
"GetAllAsText",
"Compare",
"SQLITE_CONFIG_HEAP",
"strFunction",
"Max Pool Size",
"ReadInt64",
" ViewColumns",
"InitializeBackup",
" Triggers",
"get_UpdateCommand",
"right",
"SQLiteJournalModeEnum",
" X'",
"DefaultPropertyAttribute",
"_functionType",
"CompositeIdentifierSeparatorPattern",
"StreamingContext",
"BeginInvoke",
"GetConverter",
"RESERVEDWORDS",
"SetZeroBlob",
" oleobject",
"CreateParameter",
"callback",
" timestamp",
"SELECT * FROM [{0}].[{1}]",
"vU6'I",
"limit",
"The connection was closed and re-opened, changes were already rolled back",
"INDEX_SCHEMA",
"invalid connection",
"staticSyncRoot",
"AttributeUsageAttribute",
"sqlite3_prepare_interop",
"System.Runtime.CompilerServices",
"SerializableAttribute",
"ConnectionPool",
"failed to select best index for virtual table \"{0}\"",
"Insufficient parameters supplied to the command",
" false",
"set_QuotePrefix",
"Exists",
"Prepared",
"remove__handlers",
"MakeRowId",
" real",
"SQLiteCollation",
"TYPES",
"GetFileNameWithoutExtension",
".text",
"database schema has changed",
"TableName",
"__StaticArrayInitTypeSize=104",
"Match",
"_command",
"IDisposable",
"DefaultBaseSchemaName",
"sqlite3_value_text_interop",
"ToUnixEpoch",
" false",
"FileDescription",
"WriteLine",
"CONSTRAINT_CATALOG",
"xOpen",
"add__rollbackHandler",
"BrowsableAttribute",
"get_MemoryUsed",
"_zDestName",
"GetSchema",
"UINT16",
"ColumnNameComparer",
"hexpassword",
"GetInt16",
" text({0})",
"UNSIGNEDINTEGER16",
"savepoint",
"SetTraceCallback",
"_binaryGuid",
"strName",
"set_Pooling",
"InternalDataCollectionBase",
"AttributeCollection",
"System.Data.SQLite.dll",
"IDbCommand",
"sqlite3_result_blob",
"Index",
"BOOLEAN",
"ConnectionString",
"CompareCallback16",
"autoInc",
"TABLES",
"_remainingText",
"length",
" smalldate",
"_errorCode",
"table contains no data",
"CreateCommandBuilder",
" 23",
"Initialize",
"INDEX_NAME",
"DesignOnlyAttribute",
"ISerializable",
"CreateFile",
"DatabaseName",
"_dbType",
"Default IsolationLevel",
"aOrderBy",
"iTermOffset",
"IsLong",
"sqlite3_sourceid",
"StatementType",
"Schema_DataSourceInformation",
"index",
"TypeConverter",
"TimeSpan",
"ColumnIndex",
"get_Connection",
"_level",
"SMALLDATE",
" logical",
"BindAllAsText",
"set_OrderByConsumed",
" uniqueidentifier",
"#GUID",
"strKeyName",
"set_FuncType",
"DoubleToInt64Bits",
"set_ParameterName",
"AllocateNativeModule",
"_base",
"DefaultLegacyFormat",
"timeoutMS",
"sqlite3_result_error",
"DbType",
"GetDataTypeName",
"DefaultEventAttribute",
"file is encrypted or is not a database",
" System.Int32",
"QuotePrefix",
"IndexOf",
"KeyInfo",
"SetTimeout",
" date",
"THHmmK",
"THHmmss",
"ContextCollateCompare",
"System.Security.Permissions.SecurityPermissionFlag, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"Misuse",
"sqlite3_errstr",
"Microsoft.VSDesigner.Data.Design.DBCommandEditor, Microsoft.VSDesigner, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3auSystem.Drawing.Design.UITypeEditor, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",
"IsFixedSize",
"ServerVersion",
"get_OwnHandle",
"SQLiteFunctionAttribute",
"SQLiteKeyReader",
"_queueList",
"IsCaseSensitive",
"VARBINARY",
"sqlite3_log",
"pvReserved",
"IsConcurrencyType",
"System.Data.Common",
"Enumerator",
"sqlite3_value_text16_interop",
"get_VisibleFieldCount",
"ParameterName",
"Invalid ConnectionString format, cannot parse: {0}",
"not an \"enumerator\" cursor",
"Trace",
"HH:mm:ss",
"CatalogLocation",
" Views",
"zMessage",
"rowid",
"WriteByte",
"INT32",
"yyyy-MM-ddTHH:mm:ss.FFFFFFF",
"datetimekind",
"GetTypes",
"ISQLiteSchemaExtensions",
"PtrToStructure",
"item type name cannot be null",
"get_IsClosed",
"CreateDbParameter",
"Cancel",
"CultureInfo",
"set_LogErrorsNoThrow",
"get_ItemArray",
"Constraints",
"default isolationlevel",
"'%'<'",
"ToUTF8",
"EDM_TYPE",
"FKEY_MATCH",
"CompareCallback",
"SQLiteParameterCollection",
"WaitForPendingFinalizers",
"get_Index",
"TRIGGERS",
"sqlite3_backup_remaining",
"yyyyMMddHHmmK",
"_rowVersion",
" varbinary",
"reader",
"tableName",
"CHARACTER_MAXIMUM_LENGTH",
"Database connection not valid for query cancellation.",
"Close",
"INTEROP_EXTENSION_FUNCTIONS",
"ConnectionState",
"System.ComponentModel",
"PADPADP",
"connection has invalid handle",
"sqlite3_column_bytes16",
"COLLATION_CATALOG",
"dateValue",
"DATE_CREATED",
"add_Changed",
"MemberDescriptor",
"UgSystem.Data.CommandType, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"SetParameter",
"FromOADate",
"|DataDirectory|",
"sqlite_autoindex_",
"get_IsSynchronized",
"InDoubt",
"Tables",
"scope",
"ForeignKeys",
"SQLiteBackupHandle",
"SQLiteDataReader",
"LegacyFormat",
"get_SourceVersion",
"DesignerSerializationVisibilityAttribute",
"CriticalHandle",
"GetStockErrorMessage",
"get_EstimatedCost",
"get_SourceColumn",
"SetString",
"TableNameIndex",
"KeyQuery",
"_modules",
"TABLE_SCHEMA",
"nStart",
"sqlite3_column_name16_interop",
"ProviderType",
"_dataSize",
"RefreshPropertiesAttribute",
"_dbtypetonumericprecision",
"xDestroyModule",
"xCreate",
"Default Isolation Level",
" 12",
"ADO.NET Data Provider for SQLite",
"PRAGMA foreign_keys={0}",
"get_OSVersion",
"!This program cannot be run in DOS mode.",
"Insert",
"StaticIsInitialized",
"ToInt32",
"IFormatProvider",
"useutf16encoding",
"ParseConnectionStringViaFramework",
"page size",
"Invalid",
"NTEXT",
" float",
"Value",
" 6",
"SQLiteContext",
"RuntimeCompatibilityAttribute",
"functionType",
"CompilationRelaxationsAttribute",
"GetConnectionPool",
"GetSqlForDeclareTable",
"SecurityAction",
"AMD64",
"CreateInstance",
"add__handlers",
"NUMERIC",
"Event",
"FKEY_ON_UPDATE",
"sqlite3_last_insert_rowid",
"OwnHandle",
"count",
"SQLITE_FCNTL_WIN32_AV_RETRY",
"Caught exception while backing up database: {0}",
"tableRootPage",
"onoff",
"UjSystem.Data.IsolationLevel, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"GetValueOrDefault",
"Monitor",
"disposing",
"UpdateEventArgs",
"TrueString",
"Connect",
"_sqlite_backup",
"get_IsOpen",
"get_InvariantCulture",
"Utf8IntPtrFromString",
"SQLiteFunctionEx",
"xBegin",
" double",
"bind or column index out of range",
"DATA_TYPE",
"GetFunctionKey",
"UInt64",
"get_Platform",
" datetime",
"DesignTimeVisible",
"UnwrapString",
"MemoryUsed",
"Stream",
"NotImplementedException",
"StateChange",
"1.0.88.0",
"null connection or database handle",
" note",
"GetDefaultResultCode",
"get_DataAdapter",
"SetTableError",
"SQLiteCommandBuilder",
"sqlite3_changes",
"Database connection not valid for getting extended result code.",
"yyyyMMddHHmmss",
"COLUMN_GUID",
"PreLoadSQLiteDll",
"RuntimeTypeHandle",
"DefineConstants",
"transaction",
"strErr",
"sqlite3_mprintf",
"funcstep",
"dbName",
"GetUpdateCommand",
"DbEnumerator",
"funcfinal",
"RowUpdatingHandler",
"IEnumerator`1",
"counts",
"setdefaults",
"IEnumerator",
"argvIndex",
"Assembly Version",
"get_JournalMode",
"ParameterMarkerPattern",
"http://system.data.sqlite.org/",
"auxiliary database format error",
"PRELOAD_NATIVE_LIBRARY",
"set_MaxPageCount",
"ReadXml",
"pvParam",
"Failed to shutdown interface.",
"NoLogModule",
"executeType",
"LogCallback",
"database",
"THHmm",
"FindBuilder",
"GetStringFromUtf8Bytes",
"zDestName",
"System.Collections.Specialized",
"EstimatedCost",
"ExecuteScalar",
"MulticastDelegate",
"FinishBackup",
"DefaultPageSize",
"persisted",
" memo",
"sortOrder",
" ",
"TableFromCursor",
"AcceptChanges",
"{0}:{1}",
"sqlite3_column_decltype16_interop",
"_commandBehavior",
"_commandText",
"SQLiteConnectionHandle",
" decimal",
"datetimeformat",
"sqlite3_value_bytes16",
"DbProviderFactory",
"_parameterName",
"SortedList`2",
"set_DateTimeFormat",
"kernel32",
"Schema_Tables",
"GetDateTimeKindFormat",
"get_ReadOnly",
" true",
"FKEY_TO_CATALOG",
" float",
"TYPE_GUID",
"set_DataSource",
"fieldoffset",
"sqlite3_index_column_info_interop",
"set_IsNullable",
"Normal",
"sqlite3_module",
" false",
" 7",
"SQLiteSynchronousEnum",
"set_Transaction",
"SetReturnValue",
"GetParamValueType",
"get_TableName",
"puser",
"IssueRollback",
"nDataoffset",
"yyyy-MM-dd HH:mm:ss.FFFFFFF",
"CreateParameters",
"RollbackTo",
" 11",
"RollBack",
" max length",
"quotedIdentifier",
"SQLiteDateFormats",
"DOMAIN_NAME",
"_connectionPool",
"BaseServerName",
"SELECT [type], [name], [tbl_name], [rootpage], [sql], [rowid] FROM [{0}].[{1}] WHERE [type] LIKE 'table'",
"_affinitytotype",
"INTEGER64",
"IsSearchable",
"ResourceManager",
"get_InsertCommand",
"access permission denied",
" 5",
"SQLiteIndexOutputs",
" money",
"FreeHGlobal",
"could not split connection string into properties",
"destName",
"sqlite3_malloc_size_interop",
"ToArray",
" image",
"NumberOfIdentifierParts",
"sqlite3_config",
"Database connection not valid for getting number of changes.",
"DirectorySeparatorChar",
" bigint",
"_poolOpened",
"GetProcessorArchitecture",
"inputs",
"sourceDb",
"QuotedIdentifierCase",
"TRIGGER_DEFINITION",
"ORDINAL_POSITION",
"Persisted",
"get_Persisted",
"Locked",
"DbDataAdapter",
"set_InstanceType",
"ReturnBlob",
"get_Item",
"UInt16",
" char({0})",
"HH:mmK",
"DataAdapter",
" tinyint",
"Delete",
"VIEWCOLUMNS",
"Backup object has an invalid handle.",
"SQLiteStatement",
"GetGuid",
"Notice",
"sqlite3_result_error_nomem",
"Database connection not valid for getting result code.",
"SharedCache",
"TINYINT",
"Savepoint",
"FormatException",
"COLLATION_NAME",
"Cannot set Transaction while a DataReader is active",
"DataSourceInformation",
"CollationType",
"GetStatementColumnParents",
" longtext({0})",
"set_UpdateCommand",
"Arguments",
"DefaultDataSource",
"SQLiteExecuteType",
"{C88732BD-73F8-4F9D-A8C1-1DAEFC6118F6}",
"ICollection",
"SQLiteIndexConstraint",
"pVtab",
"Preparing {}...",
"sqlite3_index_constraint_usage",
"_updateHandler",
"GetByte",
"get_Pooling",
"GetSQLiteType",
"MemoryHighwater",
"add_Trace",
"SQLiteVirtualTableCursorEnumerator`1",
"Microsoft.VSDesigner.Data.VS.SqlDataAdapterDesigner, Microsoft.VSDesigner, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",
"PRAGMA max_page_count={0}",
"SQLiteIndexInputs",
"Append",
"String",
"TRACE_PRELOAD",
"Legacy Format",
"Range",
"invalid native cursor",
"disposableModule",
"ToUInt64",
"yyyy-MM-ddTHH:mmK",
"ALL,ALTER,AND,AS,AUTOINCREMENT,BETWEEN,BY,CASE,CHECK,COLLATE,COMMIT,CONSTRAINT,CREATE,CROSS,DEFAULT,DEFERRABLE,DELETE,DISTINCT,DROP,ELSE,ESCAPE,EXCEPT,FOREIGN,FROM,FULL,GROUP,HAVING,IN,INDEX,INNER,INSERT,INTERSECT,INTO,IS,ISNULL,JOIN,LEFT,LIMIT,NATURAL,NOT,NOTNULL,NULL,ON,OR,ORDER,OUTER,PRIMARY,REFERENCES,RIGHT,ROLLBACK,SELECT,SET,TABLE,THEN,TO,TRANSACTION,UNION,UNIQUE,UPDATE,USING,VALUES,WHEN,WHERE",
"Mismatch",
"PRAGMA [{0}].foreign_key_list([{1}])",
"_objValue",
"ArgumentNullException",
"ReturnError",
"METADATACOLLECTIONS",
"ContainsKey",
"Begin",
"PRAGMA journal_mode={0}",
";\";0;8;@;E;T;Y;h;w;",
"strRemain",
"get_SQLiteVersionNumber",
"Transaction",
"Caught exception in \"{0}\" method: {1}",
"ReturnNull",
"LastInsertRowId",
"ErrorCode",
"CreateConnection",
"IEnumerable`1",
"sqlite3_bind_uint",
"ToInt64",
"keyword",
"COLUMN_PROPID",
"System.Runtime.ConstrainedExecution",
" 3",
"cursor",
"get_DesignTimeVisible",
"SetDefaults",
"Convert",
"Binder",
"failed to rename virtual table from \"{0}\" to \"{1}\"",
"ReferenceEquals",
"sqlite3_bind_parameter_count",
"BuildTempSchema",
"ATTACH DATABASE '{0}' AS [{1}]",
"UpdateEventType",
"WeakReference",
"processorArchitecturePlatforms",
"Unbind",
"TypeDefinitions",
"UTF8Encoding",
"SQLiteConnectionStringBuilder",
"NextOffsetOf",
"AllowMultiple",
"internal logic error",
"CommandText",
"Bind_Int64",
"sqlite3_column_text_interop",
"GetByteCount",
" * ADO.NET 2.0 Data Provider for SQLite Version 3.X",
"yyyy-MM-ddTHH:mm:ssK",
" * Released to the public domain, use at your own risk!",
"functionAttribute",
"INT16",
"adapter",
"remove_Commit",
"get_Key",
"remove__updateHandler",
"CreateHandle",
"get_RecordsAffected",
"MetaDataCollections",
"No connection associated with this command",
"U`System.DateTimeKind, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"sqlite3_vtab",
"DatabaseNameIndex",
"`.rsrc",
"GetParameterPlaceholder",
"The connection handle is closed.",
"ForceRollback",
"DesignerSerializationVisibility",
" Tables",
"resetFlag",
"HasRows",
"INTEGER32",
"OpenAndReturn",
"DataColumnCollection",
"ISO8601",
"AssemblyProductAttribute",
"SetUpdateHook",
" ",
"DataTypes",
"get_Constraints",
"get_Length",
"WINDOWS",
"CreateConnectionStringBuilder",
"set_SourceColumn",
"yyyyMMddTHHmmssFFFFFFF",
"NotADb",
"Win32",
"Current",
"GetFullPath",
"SMALLUINT",
"OnChanged",
"connection property value is not a string",
"_properties",
"GetNativeModuleImpl",
"PRAGMA synchronous={0}",
"_typeNames",
"_utf8",
"xDisconnect",
"queue",
"sqlite3_db_handle",
"get_HexPassword",
"GetStatement",
"RoundUp",
"XmlReadMode",
"_name",
"usable",
"QuoteSuffix",
"RSDSn;+[",
"get_Depth",
"default timeout",
"WinCE",
"SQLITE_CONFIG_MEMSTATUS",
"ISQLiteManagedModule",
"GetRowIndex",
"Activator",
"sqlite3_extended_result_codes",
"set_UpdatedRowSource",
"get_DefineConstants",
"Statement {0} paramter count is {1}.",
"AllFiles",
"Opened",
"Flags",
"set_Arguments",
"cursors",
"IndexColumns",
"System.Security.Permissions",
"(^\\[\\p{Lo}\\p{Lu}\\p{Ll}_@#][\\p{Lo}\\p{Lu}\\p{Ll}\\p{Nd}@$#_]*$)|(^\\[[^\\]\\0]|\\]\\]+\\]$)|(^\\\"[^\\\"\\0]|\\\"\\\"+\\\"$)",
"DBNull",
"defValue",
"PoolQueue",
"ToUInt16",
"_activeReader",
"DefaultDateTimeFormat",
" '",
"COR_E_EXCEPTION",
"flags",
"WriteInt64",
"SQLiteTraceEventHandler",
"FullUri",
"add_DomainUnload",
"VS_VERSION_INFO",
"DefaultModuleVersion",
"_unnamedParameters",
"sqlite3_backup_pagecount",
"sourceColumn",
"System.Transactions",
"SourceColumn",
" false",
"sqlbase",
" 15",
"SQLiteException",
"DbTransaction",
"Attribute",
"constraints",
"SQLite.Interop.dll",
"List`1",
"set_FailIfMissing",
"method",
"AssemblyCopyrightAttribute",
" smallint",
"NoLoadExtension",
"PRIMARY_KEY",
"NoLfs",
" varchar",
"The connection handle wrapper is null.",
"collateSequence",
"TraceEventArgs",
"Page Size",
"DataReader already active on this command",
"ToByteArray",
"datetimeformatstring",
"UnquoteIdentifier",
"CreateCollation",
"InstanceType",
"TryParse",
"LONGTEXT",
"SetEstimatedCost",
"Array",
"SetBlob",
" 7",
"Trying to load native SQLite library \"{0}\"..."
],
"virustotal": {
"error": true,
"msg": "VT File lookup disabled in processing.conf"
},
"executed_tools": [
"overlay",
"msi_extract",
"kixtart_extract",
"vbe_extract",
"batch_extract",
"UnAutoIt_extract",
"UPX_unpack",
"RarSFX_extract",
"Inno_extract",
"SevenZip_unpack",
"de4dot_deobfuscate",
"eziriz_deobfuscate",
"office_one"
],
"cape_type_code": 0,
"cape_type": ""
}
},
"CAPE": {
"payloads": [],
"configs": []
},
"info": {
"version": "2.5",
"started": "2026-04-16 22:25:56",
"ended": "2026-04-16 22:31:30",
"duration": 334,
"id": 35,
"category": "file",
"custom": "",
"machine": {
"id": 28,
"status": "stopping",
"name": "win10x64",
"label": "win10x64",
"platform": "windows",
"manager": "KVM",
"started_on": "2026-04-16 22:25:56",
"shutdown_on": "2026-04-16 22:31:29"
},
"package": "dll",
"timeout": true,
"tlp": null,
"parent_sample": {
"id": 23,
"file_size": 13850813,
"file_type": "7-zip archive data, version 0.3",
"md5": "a17189d956c6d1975717256a6e6418cb",
"crc32": "97AFA081",
"sha1": "970e16de1d07a90dd285e84b59c0a77e8992ed9f",
"sha256": "f9cef6944196d5d27ca99a9c6287d9718b658add797e9cb770789a0c4dbf2bcd",
"sha512": "3105fa5d4d6914fe69f4d4ab9e517eab55d225bbdfa199f37f3c9f103805b1b5c587fe5e985a87ea60e2e7d511a0f872619343014233791ef63859130065e9f1",
"ssdeep": null,
"source_url": null
},
"options": {},
"source_url": null,
"route": "",
"user_id": 0,
"CAPE_current_commit": "a9a0887dab232f52c59e955b9984dd494c47ce6b"
},
"behavior": {
"processes": [
{
"process_id": 6700,
"process_name": "rundll32.exe",
"parent_id": 7304,
"module_path": "C:\\Windows\\SysWOW64\\rundll32.exe",
"first_seen": "2026-04-16 19:26:59,016",
"calls": [
{
"timestamp": "2026-04-16 19:26:59,578",
"thread_id": "816",
"caller": "0x77274faa",
"parentcaller": "0x77514cce",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77525000"
},
{
"name": "ModuleName",
"value": "imagehlp.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00002000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 0
},
{
"timestamp": "2026-04-16 19:26:59,578",
"thread_id": "816",
"caller": "0x772696ea",
"parentcaller": "0x77514c2c",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76ab0000"
},
{
"name": "FunctionName",
"value": "GetThreadContext"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76ae38d0"
}
],
"repeated": 0,
"id": 1
},
{
"timestamp": "2026-04-16 19:26:59,578",
"thread_id": "816",
"caller": "0x772696ea",
"parentcaller": "0x77514c2c",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76ab0000"
},
{
"name": "FunctionName",
"value": "GetThreadTimes"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76ad1f70"
}
],
"repeated": 0,
"id": 2
},
{
"timestamp": "2026-04-16 19:26:59,578",
"thread_id": "816",
"caller": "0x772696ea",
"parentcaller": "0x77514c2c",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76ab0000"
},
{
"name": "FunctionName",
"value": "IsProcessorFeaturePresent"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76ad0b70"
}
],
"repeated": 0,
"id": 3
},
{
"timestamp": "2026-04-16 19:26:59,578",
"thread_id": "816",
"caller": "0x772696ea",
"parentcaller": "0x77514c2c",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76ab0000"
},
{
"name": "FunctionName",
"value": "OpenThread"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76acf5b0"
}
],
"repeated": 0,
"id": 4
},
{
"timestamp": "2026-04-16 19:26:59,578",
"thread_id": "816",
"caller": "0x772696ea",
"parentcaller": "0x77514c2c",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76ab0000"
},
{
"name": "FunctionName",
"value": "ProcessIdToSessionId"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76ad0b90"
}
],
"repeated": 0,
"id": 5
},
{
"timestamp": "2026-04-16 19:26:59,578",
"thread_id": "816",
"caller": "0x772696ea",
"parentcaller": "0x77514c2c",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76ab0000"
},
{
"name": "FunctionName",
"value": "SetProcessShutdownParameters"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76ac9540"
}
],
"repeated": 0,
"id": 6
},
{
"timestamp": "2026-04-16 19:26:59,578",
"thread_id": "816",
"caller": "0x772696ea",
"parentcaller": "0x77514c2c",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76ab0000"
},
{
"name": "FunctionName",
"value": "SetThreadContext"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76ae4d20"
}
],
"repeated": 0,
"id": 7
},
{
"timestamp": "2026-04-16 19:26:59,578",
"thread_id": "816",
"caller": "0x772696ea",
"parentcaller": "0x77514c2c",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76ab0000"
},
{
"name": "FunctionName",
"value": "GetProcessId"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76ad0c20"
}
],
"repeated": 0,
"id": 8
},
{
"timestamp": "2026-04-16 19:26:59,578",
"thread_id": "816",
"caller": "0x77274faa",
"parentcaller": "0x77514d2f",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77525000"
},
{
"name": "ModuleName",
"value": "imagehlp.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00002000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 9
},
{
"timestamp": "2026-04-16 19:26:59,578",
"thread_id": "816",
"caller": "0x77274faa",
"parentcaller": "0x77514cce",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77525000"
},
{
"name": "ModuleName",
"value": "imagehlp.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00002000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 10
},
{
"timestamp": "2026-04-16 19:26:59,578",
"thread_id": "816",
"caller": "0x77274faa",
"parentcaller": "0x77514d2f",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77525000"
},
{
"name": "ModuleName",
"value": "imagehlp.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00002000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 11
},
{
"timestamp": "2026-04-16 19:26:59,578",
"thread_id": "816",
"caller": "0x77e7007d",
"parentcaller": "0x7726648d",
"category": "system",
"api": "NtQueryLicenseValue",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Name",
"value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
},
{
"name": "Type",
"value": "0x00000004"
}
],
"repeated": 0,
"id": 12
},
{
"timestamp": "2026-04-16 19:26:59,578",
"thread_id": "816",
"caller": "0x77e7007d",
"parentcaller": "0x7726648d",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\imagehlp"
},
{
"name": "BaseAddress",
"value": "0x77510000"
},
{
"name": "InitRoutine",
"value": "0x77516560"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 13
},
{
"timestamp": "2026-04-16 19:26:59,578",
"thread_id": "816",
"caller": "0x77ea64d6",
"parentcaller": "0x77ea63e1",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 14
},
{
"timestamp": "2026-04-16 19:26:59,578",
"thread_id": "816",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 15
},
{
"timestamp": "2026-04-16 19:26:59,578",
"thread_id": "6276",
"caller": "0x77e91c0e",
"parentcaller": "0x77e8dbb1",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000007c"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 3,
"id": 16
},
{
"timestamp": "2026-04-16 19:26:59,625",
"thread_id": "816",
"caller": "0x00d25f1a",
"parentcaller": "0x00d25fdd",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00a83000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 17
},
{
"timestamp": "2026-04-16 19:26:59,625",
"thread_id": "816",
"caller": "0x00d25f1a",
"parentcaller": "0x00d25fdd",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00a84000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 18
},
{
"timestamp": "2026-04-16 19:26:59,625",
"thread_id": "6272",
"caller": "0x77e80857",
"parentcaller": "0x77e8055f",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00a85000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 19
},
{
"timestamp": "2026-04-16 19:26:59,625",
"thread_id": "6272",
"caller": "0x77e80857",
"parentcaller": "0x77e8055f",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00a87000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 20
},
{
"timestamp": "2026-04-16 19:26:59,625",
"thread_id": "816",
"caller": "0x00d24168",
"parentcaller": "0x00d26078",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "34",
"pretty_value": "ProcessExecuteFlags"
},
{
"name": "ProcessInformation",
"value": "1"
}
],
"repeated": 0,
"id": 21
},
{
"timestamp": "2026-04-16 19:26:59,625",
"thread_id": "816",
"caller": "0x00d240d8",
"parentcaller": "0x00d241fe",
"category": "misc",
"api": "NtQuerySystemInformation",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SystemInformationClass",
"value": "164"
}
],
"repeated": 0,
"id": 22
},
{
"timestamp": "2026-04-16 19:26:59,625",
"thread_id": "816",
"caller": "0x00d24290",
"parentcaller": "0x00d26078",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "12"
},
{
"name": "ProcessInformation",
"value": "\\x00\\x80\\x00\\x00"
}
],
"repeated": 0,
"id": 23
},
{
"timestamp": "2026-04-16 19:26:59,625",
"thread_id": "816",
"caller": "0x00d259c5",
"parentcaller": "0x00d242a3",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll.manifest"
}
],
"repeated": 0,
"id": 24
},
{
"timestamp": "2026-04-16 19:26:59,625",
"thread_id": "6276",
"caller": "0x77e80857",
"parentcaller": "0x77e8055f",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00a89000"
},
{
"name": "RegionSize",
"value": "0x00006000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 25
},
{
"timestamp": "2026-04-16 19:26:59,625",
"thread_id": "6276",
"caller": "0x77ea64d6",
"parentcaller": "0x77ea63e1",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 26
},
{
"timestamp": "2026-04-16 19:26:59,625",
"thread_id": "6276",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 27
},
{
"timestamp": "2026-04-16 19:26:59,625",
"thread_id": "816",
"caller": "0x00d25a1d",
"parentcaller": "0x00d242a3",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002c8"
},
{
"name": "DesiredAccess",
"value": "0x001200a9",
"pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"
},
{
"name": "FileName",
"value": "C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 28
},
{
"timestamp": "2026-04-16 19:26:59,625",
"thread_id": "7200",
"caller": "0x77ea64d6",
"parentcaller": "0x77ea63e1",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 29
},
{
"timestamp": "2026-04-16 19:26:59,625",
"thread_id": "7200",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 30
},
{
"timestamp": "2026-04-16 19:26:59,703",
"thread_id": "816",
"caller": "0x00d25a1d",
"parentcaller": "0x00d242a3",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x00000004",
"pretty_value": "SECTION_MAP_READ"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x000002c8"
},
{
"name": "FileName",
"value": "C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll"
}
],
"repeated": 0,
"id": 31
},
{
"timestamp": "2026-04-16 19:26:59,703",
"thread_id": "816",
"caller": "0x00d25a1d",
"parentcaller": "0x00d242a3",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x40000003",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002cc"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x05ac0000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x00044000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 32
},
{
"timestamp": "2026-04-16 19:26:59,703",
"thread_id": "816",
"caller": "0x00d25a1d",
"parentcaller": "0x00d242a3",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002bc"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
}
],
"repeated": 0,
"id": 33
},
{
"timestamp": "2026-04-16 19:26:59,703",
"thread_id": "816",
"caller": "0x00d25a1d",
"parentcaller": "0x00d242a3",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002bc"
},
{
"name": "ValueName",
"value": "PreferExternalManifest"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"
}
],
"repeated": 0,
"id": 34
},
{
"timestamp": "2026-04-16 19:26:59,703",
"thread_id": "816",
"caller": "0x00d25a1d",
"parentcaller": "0x00d242a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002bc"
}
],
"repeated": 0,
"id": 35
},
{
"timestamp": "2026-04-16 19:26:59,703",
"thread_id": "816",
"caller": "0x00d25a1d",
"parentcaller": "0x00d242a3",
"category": "filesystem",
"api": "NtOpenFile",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x001200a9",
"pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"
},
{
"name": "FileName",
"value": "C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll.123.Manifest"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 36
},
{
"timestamp": "2026-04-16 19:26:59,703",
"thread_id": "816",
"caller": "0x00d25a1d",
"parentcaller": "0x00d242a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002c8"
}
],
"repeated": 0,
"id": 37
},
{
"timestamp": "2026-04-16 19:26:59,703",
"thread_id": "816",
"caller": "0x00d25a1d",
"parentcaller": "0x00d242a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 38
},
{
"timestamp": "2026-04-16 19:26:59,703",
"thread_id": "816",
"caller": "0x00d25a1d",
"parentcaller": "0x00d242a3",
"category": "process",
"api": "NtUnmapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x05ac0000"
},
{
"name": "RegionSize",
"value": "0x00001000"
}
],
"repeated": 0,
"id": 39
},
{
"timestamp": "2026-04-16 19:26:59,703",
"thread_id": "816",
"caller": "0x00d25a3e",
"parentcaller": "0x00d242a3",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x001200a9",
"pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"
},
{
"name": "FileName",
"value": "C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 40
},
{
"timestamp": "2026-04-16 19:26:59,703",
"thread_id": "816",
"caller": "0x00d25a3e",
"parentcaller": "0x00d242a3",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002c8"
},
{
"name": "DesiredAccess",
"value": "0x00000004",
"pretty_value": "SECTION_MAP_READ"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x000002cc"
},
{
"name": "FileName",
"value": "C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll"
}
],
"repeated": 0,
"id": 41
},
{
"timestamp": "2026-04-16 19:26:59,703",
"thread_id": "816",
"caller": "0x00d25a3e",
"parentcaller": "0x00d242a3",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x40000003",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002c8"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x05ac0000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x00044000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 42
},
{
"timestamp": "2026-04-16 19:26:59,719",
"thread_id": "816",
"caller": "0x00d25a3e",
"parentcaller": "0x00d242a3",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002bc"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
}
],
"repeated": 0,
"id": 43
},
{
"timestamp": "2026-04-16 19:26:59,719",
"thread_id": "816",
"caller": "0x00d25a3e",
"parentcaller": "0x00d242a3",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002bc"
},
{
"name": "ValueName",
"value": "PreferExternalManifest"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"
}
],
"repeated": 0,
"id": 44
},
{
"timestamp": "2026-04-16 19:26:59,719",
"thread_id": "816",
"caller": "0x00d25a3e",
"parentcaller": "0x00d242a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002bc"
}
],
"repeated": 0,
"id": 45
},
{
"timestamp": "2026-04-16 19:26:59,719",
"thread_id": "816",
"caller": "0x00d25a3e",
"parentcaller": "0x00d242a3",
"category": "filesystem",
"api": "NtOpenFile",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x001200a9",
"pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"
},
{
"name": "FileName",
"value": "C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll.124.Manifest"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 46
},
{
"timestamp": "2026-04-16 19:26:59,719",
"thread_id": "816",
"caller": "0x00d25a3e",
"parentcaller": "0x00d242a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 47
},
{
"timestamp": "2026-04-16 19:26:59,719",
"thread_id": "816",
"caller": "0x00d25a3e",
"parentcaller": "0x00d242a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002c8"
}
],
"repeated": 0,
"id": 48
},
{
"timestamp": "2026-04-16 19:26:59,719",
"thread_id": "816",
"caller": "0x00d25a3e",
"parentcaller": "0x00d242a3",
"category": "process",
"api": "NtUnmapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x05ac0000"
},
{
"name": "RegionSize",
"value": "0x00001000"
}
],
"repeated": 0,
"id": 49
},
{
"timestamp": "2026-04-16 19:26:59,719",
"thread_id": "816",
"caller": "0x00d25a5f",
"parentcaller": "0x00d242a3",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002d0"
},
{
"name": "DesiredAccess",
"value": "0x001200a9",
"pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"
},
{
"name": "FileName",
"value": "C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 50
},
{
"timestamp": "2026-04-16 19:26:59,719",
"thread_id": "816",
"caller": "0x00d25a5f",
"parentcaller": "0x00d242a3",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002d4"
},
{
"name": "DesiredAccess",
"value": "0x00000004",
"pretty_value": "SECTION_MAP_READ"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x000002d0"
},
{
"name": "FileName",
"value": "C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll"
}
],
"repeated": 0,
"id": 51
},
{
"timestamp": "2026-04-16 19:26:59,719",
"thread_id": "816",
"caller": "0x00d25a5f",
"parentcaller": "0x00d242a3",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x40000003",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002d4"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x05ac0000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x00044000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 52
},
{
"timestamp": "2026-04-16 19:26:59,719",
"thread_id": "816",
"caller": "0x00d25a5f",
"parentcaller": "0x00d242a3",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002d8"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
}
],
"repeated": 0,
"id": 53
},
{
"timestamp": "2026-04-16 19:26:59,719",
"thread_id": "816",
"caller": "0x00d25a5f",
"parentcaller": "0x00d242a3",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002d8"
},
{
"name": "ValueName",
"value": "PreferExternalManifest"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"
}
],
"repeated": 0,
"id": 54
},
{
"timestamp": "2026-04-16 19:26:59,719",
"thread_id": "816",
"caller": "0x00d25a5f",
"parentcaller": "0x00d242a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002d8"
}
],
"repeated": 0,
"id": 55
},
{
"timestamp": "2026-04-16 19:26:59,719",
"thread_id": "816",
"caller": "0x00d25a5f",
"parentcaller": "0x00d242a3",
"category": "filesystem",
"api": "NtOpenFile",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x001200a9",
"pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"
},
{
"name": "FileName",
"value": "C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll.2.Manifest"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 56
},
{
"timestamp": "2026-04-16 19:26:59,734",
"thread_id": "816",
"caller": "0x00d25a5f",
"parentcaller": "0x00d242a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002d0"
}
],
"repeated": 0,
"id": 57
},
{
"timestamp": "2026-04-16 19:26:59,734",
"thread_id": "816",
"caller": "0x00d25a5f",
"parentcaller": "0x00d242a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002d4"
}
],
"repeated": 0,
"id": 58
},
{
"timestamp": "2026-04-16 19:26:59,734",
"thread_id": "816",
"caller": "0x00d25a5f",
"parentcaller": "0x00d242a3",
"category": "process",
"api": "NtUnmapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x05ac0000"
},
{
"name": "RegionSize",
"value": "0x00001000"
}
],
"repeated": 0,
"id": 59
},
{
"timestamp": "2026-04-16 19:26:59,734",
"thread_id": "816",
"caller": "0x00d25abb",
"parentcaller": "0x00d242a3",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002d4"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
}
],
"repeated": 0,
"id": 60
},
{
"timestamp": "2026-04-16 19:26:59,734",
"thread_id": "816",
"caller": "0x00d25abb",
"parentcaller": "0x00d242a3",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002d4"
},
{
"name": "ValueName",
"value": "PreferExternalManifest"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"
}
],
"repeated": 0,
"id": 61
},
{
"timestamp": "2026-04-16 19:26:59,734",
"thread_id": "816",
"caller": "0x00d25abb",
"parentcaller": "0x00d242a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002d4"
}
],
"repeated": 0,
"id": 62
},
{
"timestamp": "2026-04-16 19:26:59,734",
"thread_id": "816",
"caller": "0x00d25abb",
"parentcaller": "0x00d242a3",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002d4"
},
{
"name": "DesiredAccess",
"value": "0x00120089",
"pretty_value": "FILE_GENERIC_READ"
},
{
"name": "FileName",
"value": "C:\\Windows\\SysWOW64\\rundll32.exe"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 63
},
{
"timestamp": "2026-04-16 19:26:59,750",
"thread_id": "816",
"caller": "0x00d25abb",
"parentcaller": "0x00d242a3",
"category": "__notification__",
"api": "sysenter",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadIdentifier",
"value": "816"
},
{
"name": "Module",
"value": "KERNEL32.DLL"
},
{
"name": "Return Address",
"value": "0x76ad24ac"
}
],
"repeated": 0,
"id": 64
},
{
"timestamp": "2026-04-16 19:26:59,766",
"thread_id": "816",
"caller": "0x00d25abb",
"parentcaller": "0x00d242a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002d4"
}
],
"repeated": 0,
"id": 65
},
{
"timestamp": "2026-04-16 19:26:59,766",
"thread_id": "816",
"caller": "0x00d25d94",
"parentcaller": "0x00d242ae",
"category": "process",
"api": "NtOpenProcessToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "DesiredAccess",
"value": "0x00000008"
},
{
"name": "TokenHandle",
"value": "0x000002d4"
}
],
"repeated": 0,
"id": 66
},
{
"timestamp": "2026-04-16 19:26:59,766",
"thread_id": "816",
"caller": "0x00d25d1d",
"parentcaller": "0x00d25db9",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "18"
},
{
"name": "TokenInformation",
"value": "\\x01\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 67
},
{
"timestamp": "2026-04-16 19:26:59,766",
"thread_id": "816",
"caller": "0x00d25d42",
"parentcaller": "0x00d25db9",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "20"
},
{
"name": "TokenInformation",
"value": "\\x01\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 68
},
{
"timestamp": "2026-04-16 19:26:59,766",
"thread_id": "816",
"caller": "0x00d25dc4",
"parentcaller": "0x00d242ae",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002d4"
}
],
"repeated": 0,
"id": 69
},
{
"timestamp": "2026-04-16 19:26:59,766",
"thread_id": "816",
"caller": "0x00d23c8d",
"parentcaller": "0x00d23e97",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite"
},
{
"name": "DllBase",
"value": "0x05ac0000"
}
],
"repeated": 0,
"id": 70
},
{
"timestamp": "2026-04-16 19:26:59,781",
"thread_id": "816",
"caller": "0x00d23c8d",
"parentcaller": "0x00d23e97",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll"
},
{
"name": "BaseAddress",
"value": "0x05ac0000"
}
],
"repeated": 0,
"id": 71
},
{
"timestamp": "2026-04-16 19:26:59,781",
"thread_id": "816",
"caller": "0x00d23d51",
"parentcaller": "0x00d23e97",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "34",
"pretty_value": "ProcessExecuteFlags"
},
{
"name": "ProcessInformation",
"value": "13"
}
],
"repeated": 0,
"id": 72
},
{
"timestamp": "2026-04-16 19:26:59,781",
"thread_id": "816",
"caller": "0x00d23da6",
"parentcaller": "0x00d23eb2",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": false,
"return": "0xffffffffc0000138",
"arguments": [
{
"name": "ModuleName",
"value": "System.Data.SQLite.dll"
},
{
"name": "ModuleHandle",
"value": "0x05ac0000"
},
{
"name": "FunctionName",
"value": ""
},
{
"name": "Ordinal",
"value": "1"
},
{
"name": "FunctionAddress",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 73
},
{
"timestamp": "2026-04-16 19:26:59,781",
"thread_id": "816",
"caller": "0x00d23924",
"parentcaller": "0x00d23f58",
"category": "process",
"api": "NtUnmapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00a40000"
},
{
"name": "RegionSize",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 74
},
{
"timestamp": "2026-04-16 19:26:59,781",
"thread_id": "816",
"caller": "0x00d23924",
"parentcaller": "0x00d23f58",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000104"
}
],
"repeated": 0,
"id": 75
},
{
"timestamp": "2026-04-16 19:26:59,781",
"thread_id": "816",
"caller": "0x00d23924",
"parentcaller": "0x00d23f58",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000104"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
}
],
"repeated": 0,
"id": 76
},
{
"timestamp": "2026-04-16 19:26:59,781",
"thread_id": "816",
"caller": "0x00d23924",
"parentcaller": "0x00d23f58",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000104"
},
{
"name": "ValueName",
"value": "Latest"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest"
}
],
"repeated": 0,
"id": 77
},
{
"timestamp": "2026-04-16 19:26:59,781",
"thread_id": "816",
"caller": "0x00d23924",
"parentcaller": "0x00d23f58",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000104"
}
],
"repeated": 0,
"id": 78
},
{
"timestamp": "2026-04-16 19:26:59,781",
"thread_id": "816",
"caller": "0x00d23924",
"parentcaller": "0x00d23f58",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000104"
},
{
"name": "DesiredAccess",
"value": "0x00100001",
"pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\rundll32.exe.mui"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 79
},
{
"timestamp": "2026-04-16 19:26:59,797",
"thread_id": "816",
"caller": "0x00d23924",
"parentcaller": "0x00d23f58",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002d4"
},
{
"name": "DesiredAccess",
"value": "0x000f0005",
"pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x00000104"
},
{
"name": "FileName",
"value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\rundll32.exe.mui"
}
],
"repeated": 0,
"id": 80
},
{
"timestamp": "2026-04-16 19:26:59,797",
"thread_id": "816",
"caller": "0x00d23924",
"parentcaller": "0x00d23f58",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002d4"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00a40000"
},
{
"name": "SectionOffset",
"value": "0x008ce460"
},
{
"name": "ViewSize",
"value": "0x00004000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 81
},
{
"timestamp": "2026-04-16 19:26:59,797",
"thread_id": "816",
"caller": "0x00d23924",
"parentcaller": "0x00d23f58",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002d4"
}
],
"repeated": 0,
"id": 82
},
{
"timestamp": "2026-04-16 19:26:59,797",
"thread_id": "816",
"caller": "0x00d25e77",
"parentcaller": "0x00d269af",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00d2b000"
},
{
"name": "ModuleName",
"value": "rundll32.exe"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 83
},
{
"timestamp": "2026-04-16 19:26:59,797",
"thread_id": "816",
"caller": "0x00d25e77",
"parentcaller": "0x00d269af",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00d2b000"
},
{
"name": "ModuleName",
"value": "rundll32.exe"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 84
},
{
"timestamp": "2026-04-16 19:26:59,813",
"thread_id": "816",
"caller": "0x00d23a40",
"parentcaller": "0x00d23f58",
"category": "__notification__",
"api": "sysenter",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadIdentifier",
"value": "816"
},
{
"name": "Module",
"value": "KERNELBASE.dll"
},
{
"name": "Return Address",
"value": "0x772833ec"
}
],
"repeated": 0,
"id": 85
},
{
"timestamp": "2026-04-16 19:27:00,047",
"thread_id": "816",
"caller": "0x00d23a40",
"parentcaller": "0x00d23f58",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\TextShaping"
},
{
"name": "DllBase",
"value": "0x73b20000"
}
],
"repeated": 0,
"id": 86
},
{
"timestamp": "2026-04-16 19:27:00,109",
"thread_id": "816",
"caller": "0x00d23a40",
"parentcaller": "0x00d23f58",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\system32\\uxtheme"
},
{
"name": "DllBase",
"value": "0x745d0000"
}
],
"repeated": 0,
"id": 87
},
{
"timestamp": "2026-04-16 19:27:00,125",
"thread_id": "816",
"caller": "0x00d23a40",
"parentcaller": "0x00d23f58",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\uxtheme.dll"
},
{
"name": "BaseAddress",
"value": "0x745d0000"
}
],
"repeated": 0,
"id": 88
},
{
"timestamp": "2026-04-16 19:27:00,125",
"thread_id": "816",
"caller": "0x00d23a40",
"parentcaller": "0x00d23f58",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\System32\\MSCTF"
},
{
"name": "DllBase",
"value": "0x76ba0000"
}
],
"repeated": 0,
"id": 89
},
{
"timestamp": "2026-04-16 19:27:00,156",
"thread_id": "816",
"caller": "0x00d23a40",
"parentcaller": "0x00d23f58",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\kernel.appcore"
},
{
"name": "DllBase",
"value": "0x75250000"
}
],
"repeated": 0,
"id": 90
},
{
"timestamp": "2026-04-16 19:27:00,156",
"thread_id": "816",
"caller": "0x00d23a40",
"parentcaller": "0x00d23f58",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\System32\\bcryptPrimitives"
},
{
"name": "DllBase",
"value": "0x76d80000"
}
],
"repeated": 0,
"id": 91
},
{
"timestamp": "2026-04-16 19:27:00,344",
"thread_id": "816",
"caller": "0x00d23a40",
"parentcaller": "0x00d23f58",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\ntmarta"
},
{
"name": "DllBase",
"value": "0x73710000"
}
],
"repeated": 0,
"id": 92
},
{
"timestamp": "2026-04-16 19:27:00,359",
"thread_id": "816",
"caller": "0x00d23a40",
"parentcaller": "0x00d23f58",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\System32\\CoreMessaging"
},
{
"name": "DllBase",
"value": "0x73740000"
}
],
"repeated": 0,
"id": 93
},
{
"timestamp": "2026-04-16 19:27:00,359",
"thread_id": "816",
"caller": "0x00d23a40",
"parentcaller": "0x00d23f58",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\wintypes"
},
{
"name": "DllBase",
"value": "0x73630000"
}
],
"repeated": 0,
"id": 94
},
{
"timestamp": "2026-04-16 19:27:00,359",
"thread_id": "816",
"caller": "0x00d23a40",
"parentcaller": "0x00d23f58",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\System32\\CoreUIComponents"
},
{
"name": "DllBase",
"value": "0x737e0000"
}
],
"repeated": 0,
"id": 95
},
{
"timestamp": "2026-04-16 19:27:00,359",
"thread_id": "816",
"caller": "0x00d23a40",
"parentcaller": "0x00d23f58",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\textinputframework"
},
{
"name": "DllBase",
"value": "0x73a60000"
}
],
"repeated": 0,
"id": 96
},
{
"timestamp": "2026-04-16 19:27:00,516",
"thread_id": "816",
"caller": "0x00d23a40",
"parentcaller": "0x00d23f58",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "kernel32.dll"
},
{
"name": "BaseAddress",
"value": "0x76ab0000"
}
],
"repeated": 0,
"id": 97
},
{
"timestamp": "2026-04-16 19:27:30,203",
"thread_id": "3220",
"caller": "0x77ea64d6",
"parentcaller": "0x77ea63e1",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 98
},
{
"timestamp": "2026-04-16 19:27:30,203",
"thread_id": "3220",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 99
},
{
"timestamp": "2026-04-16 19:27:30,203",
"thread_id": "3220",
"caller": "0x77271454",
"parentcaller": "0x7693b5fa",
"category": "system",
"api": "NtDuplicateObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SourceProcessHandle",
"value": "0xffffffff"
},
{
"name": "SourceHandle",
"value": "0xfffffffe"
},
{
"name": "TargetProcessHandle",
"value": "0xffffffff"
},
{
"name": "TargetHandle",
"value": "0x00000348"
},
{
"name": "Options",
"value": "0x00000002"
}
],
"repeated": 0,
"id": 100
},
{
"timestamp": "2026-04-16 19:27:30,203",
"thread_id": "3220",
"caller": "0x76938f18",
"parentcaller": "0x76938dcd",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000300"
}
],
"repeated": 0,
"id": 101
},
{
"timestamp": "2026-04-16 19:27:30,203",
"thread_id": "3200",
"caller": "0x77ea64d6",
"parentcaller": "0x77ea63e1",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 102
},
{
"timestamp": "2026-04-16 19:27:30,203",
"thread_id": "3200",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 103
},
{
"timestamp": "2026-04-16 19:27:58,719",
"thread_id": "7052",
"caller": "0x77eab5a6",
"parentcaller": "0x77e760fc",
"category": "threading",
"api": "NtQueryInformationThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0xfffffffe"
},
{
"name": "ThreadInformationClass",
"value": "12"
},
{
"name": "ThreadInformation",
"value": "\\x00\\x00\\x00\\x00"
},
{
"name": "ThreadId",
"value": "7052"
}
],
"repeated": 0,
"id": 104
},
{
"timestamp": "2026-04-16 19:27:58,719",
"thread_id": "7052",
"caller": "0x77eab5c9",
"parentcaller": "0x77e760fc",
"category": "threading",
"api": "NtTerminateThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000000"
},
{
"name": "ExitStatus",
"value": "0x00000000"
},
{
"name": "ThreadId",
"value": "0"
},
{
"name": "ProcessId",
"value": "0"
}
],
"repeated": 0,
"id": 105
},
{
"timestamp": "2026-04-16 19:27:58,719",
"thread_id": "3052",
"caller": "0x77eab5a6",
"parentcaller": "0x77e760fc",
"category": "threading",
"api": "NtQueryInformationThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0xfffffffe"
},
{
"name": "ThreadInformationClass",
"value": "12"
},
{
"name": "ThreadInformation",
"value": "\\x00\\x00\\x00\\x00"
},
{
"name": "ThreadId",
"value": "3052"
}
],
"repeated": 0,
"id": 106
},
{
"timestamp": "2026-04-16 19:27:58,719",
"thread_id": "3052",
"caller": "0x77eab5c9",
"parentcaller": "0x77e760fc",
"category": "threading",
"api": "NtTerminateThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000000"
},
{
"name": "ExitStatus",
"value": "0x00000000"
},
{
"name": "ThreadId",
"value": "0"
},
{
"name": "ProcessId",
"value": "0"
}
],
"repeated": 0,
"id": 107
},
{
"timestamp": "2026-04-16 19:29:12,047",
"thread_id": "3200",
"caller": "0x77eab5a6",
"parentcaller": "0x77e760fc",
"category": "threading",
"api": "NtQueryInformationThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0xfffffffe"
},
{
"name": "ThreadInformationClass",
"value": "12"
},
{
"name": "ThreadInformation",
"value": "\\x00\\x00\\x00\\x00"
},
{
"name": "ThreadId",
"value": "3200"
}
],
"repeated": 0,
"id": 108
},
{
"timestamp": "2026-04-16 19:29:12,047",
"thread_id": "3220",
"caller": "0x77eab5a6",
"parentcaller": "0x77e760fc",
"category": "threading",
"api": "NtQueryInformationThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0xfffffffe"
},
{
"name": "ThreadInformationClass",
"value": "12"
},
{
"name": "ThreadInformation",
"value": "\\x00\\x00\\x00\\x00"
},
{
"name": "ThreadId",
"value": "3220"
}
],
"repeated": 0,
"id": 109
},
{
"timestamp": "2026-04-16 19:29:12,047",
"thread_id": "3220",
"caller": "0x77e91c0e",
"parentcaller": "0x77e8f79e",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000007c"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 1,
"id": 110
},
{
"timestamp": "2026-04-16 19:29:12,047",
"thread_id": "3200",
"caller": "0x77eab5c9",
"parentcaller": "0x77e760fc",
"category": "threading",
"api": "NtTerminateThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000000"
},
{
"name": "ExitStatus",
"value": "0x00000000"
},
{
"name": "ThreadId",
"value": "0"
},
{
"name": "ProcessId",
"value": "0"
}
],
"repeated": 0,
"id": 111
},
{
"timestamp": "2026-04-16 19:29:12,047",
"thread_id": "3220",
"caller": "0x7726269a",
"parentcaller": "0x7693c192",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000348"
}
],
"repeated": 0,
"id": 112
},
{
"timestamp": "2026-04-16 19:29:12,047",
"thread_id": "3220",
"caller": "0x7726269a",
"parentcaller": "0x7693c214",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000344"
}
],
"repeated": 0,
"id": 113
},
{
"timestamp": "2026-04-16 19:29:12,047",
"thread_id": "3220",
"caller": "0x77eab5c9",
"parentcaller": "0x77e760fc",
"category": "threading",
"api": "NtTerminateThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000000"
},
{
"name": "ExitStatus",
"value": "0x00000000"
},
{
"name": "ThreadId",
"value": "0"
},
{
"name": "ProcessId",
"value": "0"
}
],
"repeated": 0,
"id": 114
}
],
"threads": [
"816",
"6276",
"6272",
"7200",
"3220",
"3200",
"7052",
"3052"
],
"environ": {
"UserName": "cape",
"ComputerName": "DESKTOP-PC01",
"WindowsPath": "C:\\Windows",
"TempPath": "C:\\Users\\cape\\AppData\\Local\\Temp\\",
"CommandLine": "\"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll\",#1",
"RegisteredOwner": "",
"RegisteredOrganization": "",
"ProductName": "",
"SystemVolumeSerialNumber": "7c6d-8d48",
"SystemVolumeGUID": "c48439d1-0000-0000-0000-100000000000",
"MachineGUID": "",
"MainExeBase": "0x00d20000",
"MainExeSize": "0x00014000",
"Bitness": "32-bit",
"DllBase": "0x05ac0000"
},
"file_activities": {
"read_files": [],
"write_files": [],
"delete_files": []
}
}
],
"anomaly": [],
"processtree": [
{
"name": "rundll32.exe",
"pid": 6700,
"parent_id": 7304,
"module_path": "C:\\Windows\\SysWOW64\\rundll32.exe",
"children": [],
"threads": [
"816",
"6276",
"6272",
"7200",
"3220",
"3200",
"7052",
"3052"
],
"environ": {
"UserName": "cape",
"ComputerName": "DESKTOP-PC01",
"WindowsPath": "C:\\Windows",
"TempPath": "C:\\Users\\cape\\AppData\\Local\\Temp\\",
"CommandLine": "\"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll\",#1",
"RegisteredOwner": "",
"RegisteredOrganization": "",
"ProductName": "",
"SystemVolumeSerialNumber": "7c6d-8d48",
"SystemVolumeGUID": "c48439d1-0000-0000-0000-100000000000",
"MachineGUID": "",
"MainExeBase": "0x00d20000",
"MainExeSize": "0x00014000",
"Bitness": "32-bit",
"DllBase": "0x05ac0000"
}
}
],
"summary": {
"files": [
"C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll.manifest",
"C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll",
"C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll.123.Manifest",
"C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll.124.Manifest",
"C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll.2.Manifest",
"C:\\Windows\\SysWOW64\\rundll32.exe",
"C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\rundll32.exe.mui"
],
"read_files": [],
"write_files": [],
"delete_files": [],
"keys": [
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest"
],
"read_keys": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest"
],
"write_keys": [],
"delete_keys": [],
"executed_commands": [],
"resolved_apis": [],
"mutexes": [],
"created_services": [],
"started_services": []
},
"enhanced": [
{
"event": "read",
"object": "registry",
"timestamp": "2026-04-16 19:26:59,703",
"eid": 1,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-04-16 19:26:59,719",
"eid": 2,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-04-16 19:26:59,719",
"eid": 3,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-04-16 19:26:59,734",
"eid": 4,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-04-16 19:26:59,781",
"eid": 5,
"data": {
"file": "C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll",
"pathtofile": null,
"moduleaddress": "0x05ac0000"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-04-16 19:26:59,781",
"eid": 6,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest",
"content": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-04-16 19:27:00,125",
"eid": 7,
"data": {
"file": "C:\\Windows\\System32\\uxtheme.dll",
"pathtofile": null,
"moduleaddress": "0x745d0000"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-04-16 19:27:00,516",
"eid": 8,
"data": {
"file": "kernel32.dll",
"pathtofile": null,
"moduleaddress": "0x76ab0000"
}
}
],
"encryptedbuffers": [],
"network_map": {
"endpoint_map": {},
"http_host_map": {},
"dns_intents": {},
"http_requests": [],
"winhttp_sessions": []
}
},
"debug": {
"log": "2026-03-05 20:34:40,194 [root] INFO: Date set to: 20260416T22:26:15, timeout set to: 200\n2026-04-16 22:26:15,141 [root] DEBUG: Starting analyzer from: C:\\fq4m33ax\n2026-04-16 22:26:15,157 [root] DEBUG: Storing results at: C:\\QTacMJke\n2026-04-16 22:26:15,157 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\dLSSanXp\n2026-04-16 22:26:15,157 [root] DEBUG: Python path: C:\\Python310\n2026-04-16 22:26:15,157 [root] INFO: analysis running as an admin\n2026-04-16 22:26:15,157 [root] INFO: analysis package specified: \"dll\"\n2026-04-16 22:26:15,157 [root] DEBUG: importing analysis package module: \"modules.packages.dll\"...\n2026-04-16 22:26:15,173 [root] DEBUG: imported analysis package \"dll\"\n2026-04-16 22:26:15,188 [root] DEBUG: initializing analysis package \"dll\"...\n2026-04-16 22:26:15,188 [lib.common.common] INFO: wrapping\n2026-04-16 22:26:15,188 [lib.core.compound] INFO: C:\\Users\\cape\\AppData\\Local\\Temp already exists, skipping creation\n2026-04-16 22:26:15,188 [root] DEBUG: New location of moved file: C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll\n2026-04-16 22:26:15,188 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option\n2026-04-16 22:26:15,188 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option\n2026-04-16 22:26:15,188 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option\n2026-04-16 22:26:15,188 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option\n2026-04-16 22:26:15,469 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2026-04-16 22:26:15,719 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2026-04-16 22:26:15,735 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2026-04-16 22:26:15,751 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2026-04-16 22:26:15,907 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2026-04-16 22:26:16,001 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'\n2026-04-16 22:26:16,141 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'\n2026-04-16 22:26:17,173 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance\n2026-04-16 22:26:17,173 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2026-04-16 22:26:17,188 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2026-04-16 22:26:17,188 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2026-04-16 22:26:17,188 [root] DEBUG: attempting to configure 'Browser' from data\n2026-04-16 22:26:17,188 [root] DEBUG: module Browser does not support data configuration, ignoring\n2026-04-16 22:26:17,188 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2026-04-16 22:26:17,188 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2026-04-16 22:26:17,188 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2026-04-16 22:26:17,188 [root] DEBUG: attempting to configure 'DigiSig' from data\n2026-04-16 22:26:17,188 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2026-04-16 22:26:17,204 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2026-04-16 22:26:17,204 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2026-04-16 22:26:45,813 [modules.auxiliary.digisig] DEBUG: File is not signed\n2026-04-16 22:26:45,813 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2026-04-16 22:26:45,829 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2026-04-16 22:26:45,829 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2026-04-16 22:26:45,829 [root] DEBUG: attempting to configure 'Disguise' from data\n2026-04-16 22:26:45,829 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2026-04-16 22:26:45,829 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2026-04-16 22:26:45,844 [modules.auxiliary.disguise] INFO: Disguising GUID to 5a8e348d-99a6-4758-a3f9-e9fa9748076d\n2026-04-16 22:26:45,844 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2026-04-16 22:26:45,844 [root] DEBUG: Initialized auxiliary module \"Human\"\n2026-04-16 22:26:45,844 [root] DEBUG: attempting to configure 'Human' from data\n2026-04-16 22:26:45,844 [root] DEBUG: module Human does not support data configuration, ignoring\n2026-04-16 22:26:45,844 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2026-04-16 22:26:45,860 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2026-04-16 22:26:45,860 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2026-04-16 22:26:45,860 [root] DEBUG: attempting to configure 'Screenshots' from data\n2026-04-16 22:26:45,860 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2026-04-16 22:26:45,860 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2026-04-16 22:26:45,923 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2026-04-16 22:26:45,923 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2026-04-16 22:26:45,923 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2026-04-16 22:26:46,001 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2026-04-16 22:26:46,001 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2026-04-16 22:26:46,016 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 644\n2026-04-16 22:26:46,297 [lib.api.process] INFO: Monitor config for : C:\\fq4m33ax\\dll\\644.ini\n2026-04-16 22:26:46,313 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor\n2026-04-16 22:26:46,391 [lib.api.process] INFO: 64-bit DLL to inject is C:\\fq4m33ax\\dll\\BslrYiZZ.dll, loader C:\\fq4m33ax\\bin\\xGTzzDJq.exe\n2026-04-16 22:26:46,485 [root] DEBUG: Loader: Injecting process 644 with C:\\fq4m33ax\\dll\\BslrYiZZ.dll.\n2026-04-16 22:26:47,313 [root] DEBUG: 644: Python path set to 'C:\\Python310'.\n2026-04-16 22:26:47,313 [root] DEBUG: 644: Disabling sleep skipping.\n2026-04-16 22:26:47,313 [root] DEBUG: 644: TLS secret dump mode enabled.\n2026-04-16 22:26:47,501 [root] DEBUG: 644: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500\n2026-04-16 22:26:47,532 [root] DEBUG: 644: Monitor initialised: 64-bit capemon loaded in process 644 at 0x00007FFEABE10000, thread 5676, image base 0x00007FF7C23E0000, stack from 0x0000008E4CD72000-0x0000008E4CD80000\n2026-04-16 22:26:47,532 [root] DEBUG: 644: Commandline: C:\\Windows\\system32\\lsass.exe\n2026-04-16 22:26:47,563 [root] DEBUG: 644: Hooked 5 out of 5 functions\n2026-04-16 22:26:47,626 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2026-04-16 22:26:47,782 [root] DEBUG: Successfully injected DLL C:\\fq4m33ax\\dll\\BslrYiZZ.dll.\n2026-04-16 22:26:47,797 [lib.api.process] INFO: Injected into 64-bit \n2026-04-16 22:26:47,797 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2026-04-16 22:26:47,860 [root] DEBUG: 644: TLS 1.2 secrets logged to: C:\\QTacMJke\\tlsdump\\tlsdump.log\n2026-04-16 22:26:55,673 [root] INFO: Restarting WMI Service\n2026-04-16 22:26:55,766 [root] DEBUG: package modules.packages.dll does not support configure, ignoring\n2026-04-16 22:26:55,766 [root] WARNING: configuration error for package modules.packages.dll: error importing data.packages.dll: No module named 'data.packages'\n2026-04-16 22:26:55,766 [lib.core.compound] INFO: C:\\Users\\cape\\AppData\\Local\\Temp already exists, skipping creation\n2026-04-16 22:26:55,813 [lib.api.process] INFO: Successfully executed process from path \"C:\\Windows\\System32\\rundll32.exe\" with arguments \"\"C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll\",#1\" with pid 6700\n2026-04-16 22:26:55,813 [lib.api.process] INFO: Monitor config for : C:\\fq4m33ax\\dll\\6700.ini\n2026-04-16 22:26:55,829 [lib.api.process] INFO: 32-bit DLL to inject is C:\\fq4m33ax\\dll\\CypYpC.dll, loader C:\\fq4m33ax\\bin\\djQPmfJ.exe\n2026-04-16 22:26:55,938 [root] DEBUG: Loader: Injecting process 6700 (thread 816) with C:\\fq4m33ax\\dll\\CypYpC.dll.\n2026-04-16 22:26:55,969 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-04-16 22:26:55,985 [root] DEBUG: Successfully injected DLL C:\\fq4m33ax\\dll\\CypYpC.dll.\n2026-04-16 22:26:56,016 [lib.api.process] INFO: Injected into 32-bit \n2026-04-16 22:26:58,032 [lib.api.process] INFO: Successfully resumed \n2026-04-16 22:26:59,001 [root] DEBUG: 6700: Python path set to 'C:\\Python310'.\n2026-04-16 22:26:59,016 [root] DEBUG: 6700: Disabling sleep skipping.\n2026-04-16 22:26:59,016 [root] DEBUG: 6700: Dropped file limit defaulting to 100.\n2026-04-16 22:26:59,048 [root] DEBUG: 6700: YaraInit: Compiled 44 rule files\n2026-04-16 22:26:59,063 [root] DEBUG: 6700: YaraInit: Compiled rules saved to file C:\\fq4m33ax\\data\\yara\\capemon.yac\n2026-04-16 22:26:59,063 [root] DEBUG: 6700: YaraScan: Scanning 0x00D20000, size 0x136e8\n2026-04-16 22:26:59,063 [root] DEBUG: 6700: Monitor initialised: 32-bit capemon loaded in process 6700 at 0x73bc0000, thread 816, image base 0xd20000, stack from 0x8c2000-0x8d0000\n2026-04-16 22:26:59,063 [root] DEBUG: 6700: Commandline: \"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite.dll\",#1\n2026-04-16 22:26:59,173 [root] DEBUG: 6700: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress\n2026-04-16 22:26:59,188 [root] DEBUG: 6700: hook_api: Warning - CreateProcessA export address 0x76AE2D90 differs from GetProcAddress -> 0x73F522A0 (AcLayers.DLL::0xfd4a22a0)\n2026-04-16 22:26:59,188 [root] DEBUG: 6700: hook_api: Warning - CreateProcessW export address 0x76AC88E0 differs from GetProcAddress -> 0x73F524E0 (AcLayers.DLL::0xfd4a24e0)\n2026-04-16 22:26:59,188 [root] DEBUG: 6700: hook_api: Warning - WinExec export address 0x76B0CF20 differs from GetProcAddress -> 0x73F527A0 (AcLayers.DLL::0xfd4a27a0)\n2026-04-16 22:26:59,313 [root] WARNING: b'Unable to place hook on GetCommandLineA'\n2026-04-16 22:26:59,313 [root] DEBUG: 6700: set_hooks: Unable to hook GetCommandLineA\n2026-04-16 22:26:59,329 [root] WARNING: b'Unable to place hook on GetCommandLineW'\n2026-04-16 22:26:59,329 [root] DEBUG: 6700: set_hooks: Unable to hook GetCommandLineW\n2026-04-16 22:26:59,548 [root] DEBUG: 6700: Hooked 630 out of 632 functions\n2026-04-16 22:26:59,548 [root] DEBUG: 6700: Syscall hook installed, syscall logging level 1\n2026-04-16 22:26:59,579 [root] DEBUG: 6700: RestoreHeaders: Restored original import table.\n2026-04-16 22:26:59,579 [root] INFO: Loaded monitor into process with pid 6700\n2026-04-16 22:26:59,595 [root] DEBUG: 6700: caller_dispatch: Added region at 0x00D20000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00D25F1A, thread 816).\n2026-04-16 22:26:59,610 [root] DEBUG: 6700: YaraScan: Scanning 0x00D20000, size 0x136e8\n2026-04-16 22:26:59,626 [root] DEBUG: 6700: ProcessImageBase: Main module image at 0x00D20000 unmodified (entropy change 0.000000e+00)\n2026-04-16 22:26:59,766 [root] DEBUG: 6700: InstrumentationCallback: Added region at 0x76AD24AC (base 0x76AB0000) to tracked regions list (thread 816).\n2026-04-16 22:26:59,766 [root] DEBUG: 6700: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-04-16 22:26:59,782 [root] DEBUG: 6700: Target DLL loaded at 0x05AC0000: C:\\Users\\cape\\AppData\\Local\\Temp\\System.Data.SQLite (0x44000 bytes).\n2026-04-16 22:26:59,782 [root] DEBUG: 6700: YaraScan: Scanning 0x05AC0000, size 0x1f0\n2026-04-16 22:26:59,938 [root] DEBUG: 6700: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 816).\n2026-04-16 22:26:59,954 [root] DEBUG: 6700: ProcessTrackedRegion: Region at 0x77150000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\KernelBase.dll is in known range, skipping\n2026-04-16 22:27:00,048 [root] DEBUG: 6700: DLL loaded at 0x73B20000: C:\\Windows\\SYSTEM32\\TextShaping (0x94000 bytes).\n2026-04-16 22:27:00,110 [root] DEBUG: 6700: DLL loaded at 0x745D0000: C:\\Windows\\system32\\uxtheme (0x74000 bytes).\n2026-04-16 22:27:00,126 [root] DEBUG: 6700: DLL loaded at 0x76BA0000: C:\\Windows\\System32\\MSCTF (0xd4000 bytes).\n2026-04-16 22:27:00,157 [root] DEBUG: 6700: set_hooks_by_export_directory: Hooked 0 out of 632 functions\n2026-04-16 22:27:00,157 [root] DEBUG: 6700: DLL loaded at 0x75250000: C:\\Windows\\SYSTEM32\\kernel.appcore (0xf000 bytes).\n2026-04-16 22:27:00,157 [root] DEBUG: 6700: DLL loaded at 0x76D80000: C:\\Windows\\System32\\bcryptPrimitives (0x5f000 bytes).\n2026-04-16 22:27:00,360 [root] DEBUG: 6700: DLL loaded at 0x73710000: C:\\Windows\\SYSTEM32\\ntmarta (0x29000 bytes).\n2026-04-16 22:27:00,360 [root] DEBUG: 6700: DLL loaded at 0x73740000: C:\\Windows\\System32\\CoreMessaging (0x9b000 bytes).\n2026-04-16 22:27:00,360 [root] DEBUG: 6700: DLL loaded at 0x73630000: C:\\Windows\\SYSTEM32\\wintypes (0xdb000 bytes).\n2026-04-16 22:27:00,360 [root] DEBUG: 6700: DLL loaded at 0x737E0000: C:\\Windows\\System32\\CoreUIComponents (0x27e000 bytes).\n2026-04-16 22:27:00,360 [root] DEBUG: 6700: DLL loaded at 0x73A60000: C:\\Windows\\SYSTEM32\\textinputframework (0xb9000 bytes).\n2026-04-16 22:30:18,703 [root] INFO: Analysis timeout hit, terminating analysis\n2026-04-16 22:30:18,703 [lib.api.process] INFO: Terminate event set for \n2026-04-16 22:30:18,703 [root] DEBUG: 6700: Terminate Event: Attempting to dump process 6700\n2026-04-16 22:30:18,718 [root] DEBUG: 6700: VerifyCodeSection: Executable code does not match, 0x3c762 of 0x3c763 matching\n2026-04-16 22:30:18,718 [root] DEBUG: 6700: DoProcessDump: Code modification detected, dumping Imagebase at 0x05AC0000.\n2026-04-16 22:30:18,718 [root] DEBUG: 6700: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-04-16 22:30:18,718 [root] DEBUG: 6700: DumpProcess: Instantiating PeParser with address: 0x05AC0000.\n2026-04-16 22:30:18,734 [root] DEBUG: 6700: DumpProcess: Module entry point VA is 0x05AFE75E.\n2026-04-16 22:30:18,734 [root] DEBUG: 6700: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x05AC2000, section 1\n2026-04-16 22:30:18,734 [root] DEBUG: 6700: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x05B00000, section 2\n2026-04-16 22:30:18,750 [root] DEBUG: 6700: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x05B02000, section 3\n2026-04-16 22:30:18,750 [root] DEBUG: 6700: reBasePEImage: Exception rebasing image from 0x05AC0000 to 0x00400000.\n2026-04-16 22:30:18,750 [root] DEBUG: 6700: readPeSectionsFromProcess: Failed to relocate image back to header image base 0x00400000.\n2026-04-16 22:30:23,703 [lib.api.process] INFO: Termination confirmed for \n2026-04-16 22:30:23,703 [root] INFO: Terminate event set for process 6700\n2026-04-16 22:30:23,703 [root] INFO: Created shutdown mutex\n2026-04-16 22:30:24,719 [root] INFO: Shutting down package\n2026-04-16 22:30:24,719 [root] INFO: Stopping auxiliary modules\n2026-04-16 22:30:24,719 [root] INFO: Stopping auxiliary module: Browser\n2026-04-16 22:30:24,719 [root] INFO: Stopping auxiliary module: Human\n2026-04-16 22:30:29,562 [root] INFO: Stopping auxiliary module: Screenshots\n2026-04-16 22:30:29,937 [root] INFO: Finishing auxiliary modules\n2026-04-16 22:30:29,937 [root] INFO: Shutting down pipe server and dumping dropped files\n2026-04-16 22:31:21,328 [root] WARNING: Folder at path \"C:\\QTacMJke\\debugger\" does not exist, skipping\n2026-04-16 22:31:21,343 [root] INFO: Uploading files at path \"C:\\QTacMJke\\tlsdump\"\n2026-04-16 22:31:21,343 [lib.common.results] INFO: Uploading file C:\\QTacMJke\\tlsdump\\tlsdump.log to tlsdump\\tlsdump.log; Size is 20276; Max size: 100000000\n2026-04-16 22:31:21,359 [root] INFO: Analysis completed\n",
"errors": []
},
"network": {
"pcap_sha256": "30920e4658f59b2a5777d40344866d0bf7cdc1074cc7780984176a8b2f626e9a",
"hosts": [
{
"ip": "20.93.72.182",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "46.149.110.67",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
80
]
},
{
"ip": "72.154.7.16",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "72.154.7.108",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "72.154.7.100",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "72.154.7.105",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "72.154.7.102",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "72.154.7.98",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "72.154.7.101",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "72.154.7.107",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "72.154.7.109",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "13.107.6.156",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "84.47.178.41",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "20.165.94.54",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "84.47.178.49",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "150.171.27.11",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "40.126.53.14",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "173.194.73.94",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "i.pki.goog",
"inaddrarpa": "",
"ports": [
80
]
},
{
"ip": "52.123.242.97",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "20.42.65.93",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "4.207.247.139",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "84.47.178.56",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
},
{
"ip": "20.189.173.2",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": [
443
]
}
],
"domains": [
{
"domain": "i.pki.goog",
"ip": "173.194.221.94"
}
],
"tcp": [
{
"src": "192.168.1.100",
"sport": 49723,
"dst": "20.189.173.2",
"dport": 443,
"offset": 24,
"time": 0.0
},
{
"src": "192.168.1.100",
"sport": 49724,
"dst": "20.189.173.2",
"dport": 443,
"offset": 95,
"time": 0.9216718673706055
},
{
"src": "192.168.1.100",
"sport": 49718,
"dst": "84.47.178.56",
"dport": 443,
"offset": 166,
"time": 4.827615976333618
},
{
"src": "192.168.1.100",
"sport": 49806,
"dst": "4.207.247.139",
"dport": 443,
"offset": 682,
"time": 5.230932950973511
},
{
"src": "192.168.1.100",
"sport": 49810,
"dst": "8.8.8.8",
"dport": 443,
"offset": 29655,
"time": 6.2567009925842285
},
{
"src": "192.168.1.100",
"sport": 49784,
"dst": "40.126.53.14",
"dport": 443,
"offset": 31544,
"time": 6.267698049545288
},
{
"src": "192.168.1.100",
"sport": 49811,
"dst": "173.194.73.94",
"dport": 80,
"offset": 37869,
"time": 6.273308038711548
},
{
"src": "192.168.1.100",
"sport": 49813,
"dst": "8.8.8.8",
"dport": 443,
"offset": 61408,
"time": 6.472993850708008
},
{
"src": "192.168.1.100",
"sport": 49815,
"dst": "128.75.237.138",
"dport": 80,
"offset": 87456,
"time": 6.527192831039429
},
{
"src": "192.168.1.100",
"sport": 49728,
"dst": "150.171.27.11",
"dport": 443,
"offset": 91611,
"time": 6.541623830795288
},
{
"src": "192.168.1.100",
"sport": 49817,
"dst": "150.171.27.11",
"dport": 443,
"offset": 95864,
"time": 6.583031892776489
},
{
"src": "192.168.1.100",
"sport": 49818,
"dst": "84.47.178.49",
"dport": 443,
"offset": 99485,
"time": 6.6046178340911865
},
{
"src": "192.168.1.100",
"sport": 49820,
"dst": "84.47.178.49",
"dport": 443,
"offset": 247208,
"time": 6.825214862823486
},
{
"src": "192.168.1.100",
"sport": 49823,
"dst": "23.11.40.157",
"dport": 80,
"offset": 372070,
"time": 7.305431842803955
},
{
"src": "192.168.1.100",
"sport": 49824,
"dst": "194.158.198.23",
"dport": 80,
"offset": 375428,
"time": 7.450387001037598
},
{
"src": "192.168.1.100",
"sport": 49826,
"dst": "40.126.53.14",
"dport": 443,
"offset": 412378,
"time": 7.893106937408447
},
{
"src": "192.168.1.100",
"sport": 49828,
"dst": "40.126.53.14",
"dport": 443,
"offset": 418487,
"time": 8.041452884674072
},
{
"src": "192.168.1.100",
"sport": 49829,
"dst": "20.42.65.93",
"dport": 443,
"offset": 461377,
"time": 10.356269836425781
},
{
"src": "192.168.1.100",
"sport": 49831,
"dst": "4.207.247.139",
"dport": 443,
"offset": 474616,
"time": 25.27602982521057
},
{
"src": "192.168.1.100",
"sport": 49833,
"dst": "20.190.177.23",
"dport": 443,
"offset": 498727,
"time": 34.709553956985474
},
{
"src": "192.168.1.100",
"sport": 49834,
"dst": "4.207.247.139",
"dport": 443,
"offset": 536112,
"time": 34.94776201248169
},
{
"src": "192.168.1.100",
"sport": 49836,
"dst": "13.107.253.44",
"dport": 443,
"offset": 564524,
"time": 35.147562980651855
},
{
"src": "4.207.247.139",
"sport": 443,
"dst": "192.168.1.100",
"dport": 49737,
"offset": 571167,
"time": 35.17974305152893
},
{
"src": "192.168.1.100",
"sport": 49839,
"dst": "20.72.205.209",
"dport": 443,
"offset": 692308,
"time": 35.408501863479614
},
{
"src": "192.168.1.100",
"sport": 49841,
"dst": "52.182.143.211",
"dport": 443,
"offset": 745151,
"time": 36.00822186470032
},
{
"src": "192.168.1.100",
"sport": 49843,
"dst": "185.5.161.201",
"dport": 80,
"offset": 780126,
"time": 36.42800998687744
},
{
"src": "192.168.1.100",
"sport": 49847,
"dst": "20.72.205.209",
"dport": 443,
"offset": 1481227,
"time": 37.477412939071655
},
{
"src": "192.168.1.100",
"sport": 49849,
"dst": "20.190.177.23",
"dport": 443,
"offset": 1488387,
"time": 37.904582023620605
},
{
"src": "192.168.1.100",
"sport": 49850,
"dst": "20.72.205.209",
"dport": 443,
"offset": 1526519,
"time": 38.2055139541626
},
{
"src": "192.168.1.100",
"sport": 49853,
"dst": "74.178.240.61",
"dport": 443,
"offset": 1569611,
"time": 38.727761030197144
},
{
"src": "192.168.1.100",
"sport": 49856,
"dst": "20.165.94.54",
"dport": 443,
"offset": 1585506,
"time": 39.26581001281738
},
{
"src": "192.168.1.100",
"sport": 49858,
"dst": "4.210.40.181",
"dport": 443,
"offset": 1591121,
"time": 39.66632390022278
},
{
"src": "192.168.1.100",
"sport": 49710,
"dst": "84.47.178.41",
"dport": 443,
"offset": 1597430,
"time": 39.714831829071045
},
{
"src": "192.168.1.100",
"sport": 49716,
"dst": "84.47.178.56",
"dport": 443,
"offset": 1626559,
"time": 39.79321002960205
},
{
"src": "192.168.1.100",
"sport": 49862,
"dst": "74.178.240.61",
"dport": 443,
"offset": 1631326,
"time": 39.994345903396606
},
{
"src": "192.168.1.100",
"sport": 49719,
"dst": "8.8.4.4",
"dport": 443,
"offset": 1658675,
"time": 40.261735916137695
},
{
"src": "192.168.1.100",
"sport": 49720,
"dst": "8.8.4.4",
"dport": 443,
"offset": 1672678,
"time": 40.98029184341431
},
{
"src": "192.168.1.100",
"sport": 49708,
"dst": "13.107.6.156",
"dport": 443,
"offset": 1672819,
"time": 41.01152586936951
},
{
"src": "192.168.1.100",
"sport": 49866,
"dst": "48.192.143.121",
"dport": 443,
"offset": 1697701,
"time": 42.00288987159729
},
{
"src": "192.168.1.100",
"sport": 49712,
"dst": "84.47.178.41",
"dport": 443,
"offset": 1702425,
"time": 42.19945287704468
},
{
"src": "192.168.1.100",
"sport": 49869,
"dst": "4.207.247.139",
"dport": 443,
"offset": 1702896,
"time": 42.242573976516724
},
{
"src": "192.168.1.100",
"sport": 49871,
"dst": "52.137.106.217",
"dport": 443,
"offset": 1884566,
"time": 43.07280683517456
},
{
"src": "192.168.1.100",
"sport": 49874,
"dst": "52.137.106.217",
"dport": 443,
"offset": 2718094,
"time": 45.47012686729431
},
{
"src": "192.168.1.100",
"sport": 49877,
"dst": "40.74.98.195",
"dport": 443,
"offset": 2764963,
"time": 47.609946966171265
},
{
"src": "192.168.1.100",
"sport": 49880,
"dst": "23.46.118.69",
"dport": 443,
"offset": 2779123,
"time": 48.222296953201294
},
{
"src": "192.168.1.100",
"sport": 49883,
"dst": "52.137.106.217",
"dport": 443,
"offset": 2794803,
"time": 50.18647384643555
},
{
"src": "192.168.1.100",
"sport": 49885,
"dst": "23.11.40.157",
"dport": 80,
"offset": 2805982,
"time": 50.486546993255615
},
{
"src": "192.168.1.100",
"sport": 49889,
"dst": "2.23.88.9",
"dport": 443,
"offset": 2815484,
"time": 51.79829382896423
},
{
"src": "192.168.1.100",
"sport": 49891,
"dst": "52.140.118.28",
"dport": 443,
"offset": 3820101,
"time": 67.12752604484558
},
{
"src": "192.168.1.100",
"sport": 49893,
"dst": "194.158.198.23",
"dport": 80,
"offset": 3828900,
"time": 68.10467886924744
},
{
"src": "192.168.1.100",
"sport": 49895,
"dst": "52.140.118.28",
"dport": 443,
"offset": 3843664,
"time": 69.34740781784058
},
{
"src": "192.168.1.100",
"sport": 49897,
"dst": "52.140.118.28",
"dport": 443,
"offset": 3860148,
"time": 70.29533195495605
},
{
"src": "192.168.1.100",
"sport": 49899,
"dst": "150.171.109.53",
"dport": 443,
"offset": 4156302,
"time": 71.77561783790588
},
{
"src": "192.168.1.100",
"sport": 49901,
"dst": "13.71.55.58",
"dport": 443,
"offset": 4293761,
"time": 72.1876380443573
},
{
"src": "192.168.1.100",
"sport": 49903,
"dst": "52.123.129.14",
"dport": 443,
"offset": 4413584,
"time": 73.26213788986206
},
{
"src": "192.168.1.100",
"sport": 49905,
"dst": "104.46.162.226",
"dport": 443,
"offset": 5327899,
"time": 77.08743381500244
},
{
"src": "192.168.1.100",
"sport": 49911,
"dst": "199.232.214.172",
"dport": 80,
"offset": 113902468,
"time": 169.40033602714539
},
{
"src": "192.168.1.100",
"sport": 49912,
"dst": "2.23.89.205",
"dport": 443,
"offset": 113923936,
"time": 173.76063585281372
},
{
"src": "192.168.1.100",
"sport": 49914,
"dst": "46.149.110.67",
"dport": 80,
"offset": 113947468,
"time": 174.67304801940918
},
{
"src": "192.168.1.100",
"sport": 49915,
"dst": "46.149.110.67",
"dport": 80,
"offset": 113950538,
"time": 175.01964497566223
},
{
"src": "192.168.1.100",
"sport": 49917,
"dst": "46.149.110.67",
"dport": 80,
"offset": 113968533,
"time": 175.16139388084412
},
{
"src": "192.168.1.100",
"sport": 49918,
"dst": "72.154.7.107",
"dport": 443,
"offset": 115792577,
"time": 175.8093569278717
},
{
"src": "192.168.1.100",
"sport": 49920,
"dst": "72.154.7.17",
"dport": 443,
"offset": 115793465,
"time": 175.82170486450195
},
{
"src": "192.168.1.100",
"sport": 49922,
"dst": "2.23.90.38",
"dport": 443,
"offset": 115815369,
"time": 176.66035985946655
},
{
"src": "192.168.1.100",
"sport": 49924,
"dst": "2.23.90.38",
"dport": 443,
"offset": 115839757,
"time": 176.9556179046631
},
{
"src": "192.168.1.100",
"sport": 49926,
"dst": "150.171.22.17",
"dport": 443,
"offset": 115863823,
"time": 180.44972896575928
},
{
"src": "192.168.1.100",
"sport": 49928,
"dst": "23.11.40.157",
"dport": 80,
"offset": 116342398,
"time": 205.88042187690735
},
{
"src": "192.168.1.100",
"sport": 49930,
"dst": "128.75.237.48",
"dport": 443,
"offset": 116351411,
"time": 206.52538990974426
},
{
"src": "192.168.1.100",
"sport": 49932,
"dst": "20.189.173.9",
"dport": 443,
"offset": 116487760,
"time": 213.75111603736877
},
{
"src": "192.168.1.100",
"sport": 49935,
"dst": "52.123.242.138",
"dport": 443,
"offset": 116514278,
"time": 233.40369701385498
},
{
"src": "192.168.1.100",
"sport": 49936,
"dst": "74.178.76.128",
"dport": 443,
"offset": 116540446,
"time": 238.88430500030518
},
{
"src": "192.168.1.100",
"sport": 49938,
"dst": "20.189.173.23",
"dport": 443,
"offset": 116551853,
"time": 242.81025981903076
}
],
"udp": [
{
"src": "192.168.1.100",
"sport": 58854,
"dst": "8.8.8.8",
"dport": 443,
"offset": 8890,
"time": 6.203717947006226
},
{
"src": "192.168.1.100",
"sport": 52087,
"dst": "8.8.8.8",
"dport": 53,
"offset": 28622,
"time": 6.233264923095703
},
{
"src": "192.168.1.100",
"sport": 62453,
"dst": "8.8.8.8",
"dport": 53,
"offset": 68739,
"time": 6.489078044891357
},
{
"src": "192.168.1.100",
"sport": 59748,
"dst": "8.8.8.8",
"dport": 53,
"offset": 369115,
"time": 6.9346678256988525
},
{
"src": "192.168.1.100",
"sport": 49187,
"dst": "8.8.8.8",
"dport": 53,
"offset": 371273,
"time": 7.171459913253784
},
{
"src": "192.168.1.100",
"sport": 138,
"dst": "192.168.1.255",
"dport": 138,
"offset": 482146,
"time": 31.66370701789856
},
{
"src": "192.168.1.100",
"sport": 63652,
"dst": "8.8.8.8",
"dport": 53,
"offset": 560066,
"time": 35.08013296127319
},
{
"src": "192.168.1.100",
"sport": 64859,
"dst": "8.8.8.8",
"dport": 53,
"offset": 706610,
"time": 35.75243401527405
},
{
"src": "192.168.1.100",
"sport": 55416,
"dst": "8.8.8.8",
"dport": 53,
"offset": 779065,
"time": 36.402657985687256
},
{
"src": "192.168.1.100",
"sport": 50620,
"dst": "8.8.8.8",
"dport": 53,
"offset": 1526805,
"time": 38.21780300140381
},
{
"src": "192.168.1.100",
"sport": 57989,
"dst": "8.8.8.8",
"dport": 53,
"offset": 1630730,
"time": 39.927321910858154
},
{
"src": "192.168.1.100",
"sport": 62230,
"dst": "8.8.8.8",
"dport": 53,
"offset": 1692780,
"time": 41.82962083816528
},
{
"src": "192.168.1.100",
"sport": 65234,
"dst": "8.8.8.8",
"dport": 53,
"offset": 2764379,
"time": 47.331130027770996
},
{
"src": "192.168.1.100",
"sport": 53207,
"dst": "8.8.8.8",
"dport": 53,
"offset": 2794554,
"time": 50.15921497344971
},
{
"src": "192.168.1.100",
"sport": 55533,
"dst": "8.8.8.8",
"dport": 53,
"offset": 2814947,
"time": 51.74102187156677
},
{
"src": "192.168.1.100",
"sport": 63922,
"dst": "8.8.8.8",
"dport": 53,
"offset": 3827881,
"time": 68.03922486305237
},
{
"src": "192.168.1.100",
"sport": 51489,
"dst": "8.8.8.8",
"dport": 53,
"offset": 3867592,
"time": 71.07510590553284
},
{
"src": "192.168.1.100",
"sport": 56026,
"dst": "8.8.8.8",
"dport": 53,
"offset": 4170257,
"time": 71.9353940486908
},
{
"src": "192.168.1.100",
"sport": 60107,
"dst": "8.8.8.8",
"dport": 53,
"offset": 4412989,
"time": 73.21732091903687
},
{
"src": "192.168.1.100",
"sport": 59204,
"dst": "8.8.8.8",
"dport": 53,
"offset": 113899263,
"time": 168.85403394699097
},
{
"src": "192.168.1.100",
"sport": 58835,
"dst": "8.8.4.4",
"dport": 53,
"offset": 113923369,
"time": 173.73583602905273
},
{
"src": "192.168.1.100",
"sport": 50877,
"dst": "8.8.4.4",
"dport": 53,
"offset": 113935173,
"time": 174.3897340297699
},
{
"src": "192.168.1.100",
"sport": 65098,
"dst": "8.8.4.4",
"dport": 53,
"offset": 113949209,
"time": 174.90579390525818
},
{
"src": "192.168.1.100",
"sport": 50621,
"dst": "8.8.8.8",
"dport": 53,
"offset": 115791085,
"time": 175.61963081359863
},
{
"src": "192.168.1.100",
"sport": 59263,
"dst": "8.8.4.4",
"dport": 53,
"offset": 115791815,
"time": 175.65583181381226
},
{
"src": "192.168.1.100",
"sport": 62469,
"dst": "8.8.8.8",
"dport": 53,
"offset": 115863232,
"time": 180.40608191490173
},
{
"src": "192.168.1.100",
"sport": 53950,
"dst": "8.8.4.4",
"dport": 53,
"offset": 116332810,
"time": 205.44998002052307
},
{
"src": "192.168.1.100",
"sport": 50532,
"dst": "8.8.4.4",
"dport": 53,
"offset": 116341089,
"time": 205.70009183883667
},
{
"src": "192.168.1.100",
"sport": 50744,
"dst": "8.8.8.8",
"dport": 53,
"offset": 116487179,
"time": 213.55100393295288
},
{
"src": "192.168.1.100",
"sport": 60944,
"dst": "8.8.8.8",
"dport": 53,
"offset": 116513249,
"time": 232.8260178565979
},
{
"src": "192.168.1.100",
"sport": 51470,
"dst": "8.8.8.8",
"dport": 53,
"offset": 116545368,
"time": 242.02581787109375
},
{
"src": "192.168.1.100",
"sport": 52840,
"dst": "8.8.8.8",
"dport": 53,
"offset": 116568587,
"time": 311.2949779033661
}
],
"icmp": [
{
"src": "192.168.1.100",
"dst": "8.8.4.4",
"type": 3,
"data": ""
},
{
"src": "192.168.1.100",
"dst": "8.8.8.8",
"type": 3,
"data": ""
}
],
"http": [
{
"count": 2,
"host": "i.pki.goog",
"port": 80,
"data": "GET /gsr1.crt HTTP/1.1\r\nHost: i.pki.goog\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n\r\n",
"uri": "http://i.pki.goog/gsr1.crt",
"body": "",
"path": "/gsr1.crt",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
"version": "1.1",
"method": "GET",
"first_seen": 1776378382.982803
},
{
"count": 2,
"host": "i.pki.goog",
"port": 80,
"data": "GET /r4.crt HTTP/1.1\r\nHost: i.pki.goog\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n\r\n",
"uri": "http://i.pki.goog/r4.crt",
"body": "",
"path": "/r4.crt",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
"version": "1.1",
"method": "GET",
"first_seen": 1776378383.003842
},
{
"count": 2,
"host": "i.pki.goog",
"port": 80,
"data": "GET /we2.crt HTTP/1.1\r\nHost: i.pki.goog\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n\r\n",
"uri": "http://i.pki.goog/we2.crt",
"body": "",
"path": "/we2.crt",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
"version": "1.1",
"method": "GET",
"first_seen": 1776378383.023426
},
{
"count": 2,
"host": "i.pki.goog",
"port": 80,
"data": "GET /gsr4.crt HTTP/1.1\r\nHost: i.pki.goog\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n\r\n",
"uri": "http://i.pki.goog/gsr4.crt",
"body": "",
"path": "/gsr4.crt",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
"version": "1.1",
"method": "GET",
"first_seen": 1776378383.0474
},
{
"count": 1,
"host": "46.149.110.67",
"port": 80,
"data": "GET /filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 9w5907Ispk2VhKxnXP29cg.0.2.3.1.1\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n",
"uri": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com",
"body": "",
"path": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1776378551.382543
},
{
"count": 1,
"host": "46.149.110.67",
"port": 80,
"data": "GET /filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983348&P2=404&P3=2&P4=ON9CsQXTX1GnMijC%2fAgylmXozyIbnmEe2cwcU33kspyuqwIyAFYm2Oc6gHMERzabWotxXSvPP1WgVzK14D8Mrw%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=0-1\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 9w5907Ispk2VhKxnXP29cg.0.2.6.1.1.1\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n",
"uri": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983348&P2=404&P3=2&P4=ON9CsQXTX1GnMijC%2fAgylmXozyIbnmEe2cwcU33kspyuqwIyAFYm2Oc6gHMERzabWotxXSvPP1WgVzK14D8Mrw%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
"body": "",
"path": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983348&P2=404&P3=2&P4=ON9CsQXTX1GnMijC%2fAgylmXozyIbnmEe2cwcU33kspyuqwIyAFYm2Oc6gHMERzabWotxXSvPP1WgVzK14D8Mrw%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1776378551.72914
},
{
"count": 1,
"host": "46.149.110.67",
"port": 80,
"data": "GET /filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983348&P2=404&P3=2&P4=ON9CsQXTX1GnMijC%2fAgylmXozyIbnmEe2cwcU33kspyuqwIyAFYm2Oc6gHMERzabWotxXSvPP1WgVzK14D8Mrw%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=1048576-1697335\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 9w5907Ispk2VhKxnXP29cg.0.2.6.1.1.2\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n",
"uri": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983348&P2=404&P3=2&P4=ON9CsQXTX1GnMijC%2fAgylmXozyIbnmEe2cwcU33kspyuqwIyAFYm2Oc6gHMERzabWotxXSvPP1WgVzK14D8Mrw%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
"body": "",
"path": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983348&P2=404&P3=2&P4=ON9CsQXTX1GnMijC%2fAgylmXozyIbnmEe2cwcU33kspyuqwIyAFYm2Oc6gHMERzabWotxXSvPP1WgVzK14D8Mrw%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1776378551.816398
},
{
"count": 1,
"host": "46.149.110.67",
"port": 80,
"data": "GET /filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983348&P2=404&P3=2&P4=ON9CsQXTX1GnMijC%2fAgylmXozyIbnmEe2cwcU33kspyuqwIyAFYm2Oc6gHMERzabWotxXSvPP1WgVzK14D8Mrw%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=0-1048575\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 9w5907Ispk2VhKxnXP29cg.0.2.6.1.1.3\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n",
"uri": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983348&P2=404&P3=2&P4=ON9CsQXTX1GnMijC%2fAgylmXozyIbnmEe2cwcU33kspyuqwIyAFYm2Oc6gHMERzabWotxXSvPP1WgVzK14D8Mrw%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
"body": "",
"path": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983348&P2=404&P3=2&P4=ON9CsQXTX1GnMijC%2fAgylmXozyIbnmEe2cwcU33kspyuqwIyAFYm2Oc6gHMERzabWotxXSvPP1WgVzK14D8Mrw%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1776378551.870889
}
],
"dns": [
{
"request": "i.pki.goog",
"type": "A",
"answers": [
{
"type": "A",
"data": "173.194.73.94"
},
{
"type": "CNAME",
"data": "pki-goog.l.google.com"
}
],
"first_seen": 1776378382.94276
}
],
"smtp": [],
"irc": [],
"dead_hosts": [
[
"52.123.242.97",
443
],
[
"72.154.7.109",
443
],
[
"72.154.7.98",
443
],
[
"72.154.7.101",
443
],
[
"72.154.7.102",
443
],
[
"72.154.7.105",
443
],
[
"72.154.7.100",
443
],
[
"72.154.7.108",
443
],
[
"72.154.7.16",
443
]
]
},
"suricata": {
"alerts": [],
"tls": [
{
"srcport": 49810,
"srcip": "192.168.1.100",
"dstport": 443,
"dstip": "8.8.8.8",
"timestamp": "2026-04-16 22:26:22.987544+0000",
"version": "TLS 1.3",
"sni": "dns.google",
"ja3": {
"hash": "87c36e0efdb847c153954b9f4778e764",
"string": "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,45-13-43-51-23-0-65037-65281-5-27-10-11-35-18-16-17613,4588-29-23-24,0"
},
"ja3s": {
"hash": "eb1d94daa7e0344597e756a1fb6e7054",
"string": "771,4865,51-43"
}
},
{
"srcport": 49813,
"srcip": "192.168.1.100",
"dstport": 443,
"dstip": "8.8.8.8",
"timestamp": "2026-04-16 22:26:23.196997+0000",
"version": "TLS 1.3",
"sni": "dns.google",
"ja3": {
"hash": "eca10cbdddc3be37612b1d322437c105",
"string": "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,51-23-5-45-27-65281-0-35-16-65037-43-10-17613-13-18-11,4588-29-23-24,0"
},
"ja3s": {
"hash": "eb1d94daa7e0344597e756a1fb6e7054",
"string": "771,4865,51-43"
}
},
{
"srcport": 49860,
"srcip": "192.168.1.100",
"dstport": 443,
"dstip": "8.8.8.8",
"timestamp": "2026-04-16 22:26:56.470485+0000",
"version": "TLS 1.3",
"sni": "dns.google",
"ja3": {
"hash": "00cf290bd02b8f31a70af6a46e70e981",
"string": "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,18-10-16-17613-11-65037-13-0-51-5-27-43-45-23-35-65281,4588-29-23-24,0"
},
"ja3s": {
"hash": "eb1d94daa7e0344597e756a1fb6e7054",
"string": "771,4865,51-43"
}
}
],
"perf": [],
"files": [],
"http": [
{
"srcport": 49811,
"srcip": "192.168.1.100",
"dstport": 80,
"dstip": "173.194.73.94",
"timestamp": "2026-04-16 22:26:23.000550+0000",
"uri": "/gsr1.crt",
"length": 797,
"hostname": "i.pki.goog",
"status": 200,
"http_method": "GET",
"contenttype": "application/pkix-cert",
"ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
"referrer": null
},
{
"srcport": 49811,
"srcip": "192.168.1.100",
"dstport": 80,
"dstip": "173.194.73.94",
"timestamp": "2026-04-16 22:26:23.023426+0000",
"uri": "/r4.crt",
"length": 455,
"hostname": "i.pki.goog",
"status": 200,
"http_method": "GET",
"contenttype": "application/pkix-cert",
"ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
"referrer": null
},
{
"srcport": 49811,
"srcip": "192.168.1.100",
"dstport": 80,
"dstip": "173.194.73.94",
"timestamp": "2026-04-16 22:26:23.047400+0000",
"uri": "/we2.crt",
"length": 582,
"hostname": "i.pki.goog",
"status": 200,
"http_method": "GET",
"contenttype": "application/pkix-cert",
"ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
"referrer": null
},
{
"srcport": 49811,
"srcip": "192.168.1.100",
"dstport": 80,
"dstip": "173.194.73.94",
"timestamp": "2026-04-16 22:26:23.080961+0000",
"uri": "/gsr4.crt",
"length": 480,
"hostname": "i.pki.goog",
"status": 200,
"http_method": "GET",
"contenttype": "application/pkix-cert",
"ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
"referrer": null
},
{
"srcport": 49811,
"srcip": "192.168.1.100",
"dstport": 80,
"dstip": "173.194.73.94",
"timestamp": "2026-04-16 22:26:23.098806+0000",
"uri": "/gsr1.crt",
"length": 797,
"hostname": "i.pki.goog",
"status": 200,
"http_method": "GET",
"contenttype": "application/pkix-cert",
"ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
"referrer": null
},
{
"srcport": 49811,
"srcip": "192.168.1.100",
"dstport": 80,
"dstip": "173.194.73.94",
"timestamp": "2026-04-16 22:26:23.124692+0000",
"uri": "/r4.crt",
"length": 455,
"hostname": "i.pki.goog",
"status": 200,
"http_method": "GET",
"contenttype": "application/pkix-cert",
"ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
"referrer": null
},
{
"srcport": 49811,
"srcip": "192.168.1.100",
"dstport": 80,
"dstip": "173.194.73.94",
"timestamp": "2026-04-16 22:26:23.147352+0000",
"uri": "/we2.crt",
"length": 582,
"hostname": "i.pki.goog",
"status": 200,
"http_method": "GET",
"contenttype": "application/pkix-cert",
"ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
"referrer": null
},
{
"srcport": 49811,
"srcip": "192.168.1.100",
"dstport": 80,
"dstip": "173.194.73.94",
"timestamp": "2026-04-16 22:26:23.208492+0000",
"uri": "/gsr4.crt",
"length": 480,
"hostname": "i.pki.goog",
"status": 200,
"http_method": "GET",
"contenttype": "application/pkix-cert",
"ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
"referrer": null
},
{
"srcport": 49914,
"srcip": "192.168.1.100",
"dstport": 80,
"dstip": "46.149.110.67",
"timestamp": "2026-04-16 22:29:11.474566+0000",
"uri": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com",
"length": 246,
"hostname": "46.149.110.67",
"status": 200,
"http_method": "GET",
"contenttype": "application/octet-stream",
"ua": "Microsoft-Delivery-Optimization/10.0",
"referrer": null
},
{
"srcport": 49915,
"srcip": "192.168.1.100",
"dstport": 80,
"dstip": "46.149.110.67",
"timestamp": "2026-04-16 22:29:11.816398+0000",
"uri": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983348&P2=404&P3=2&P4=ON9CsQXTX1GnMijC%2fAgylmXozyIbnmEe2cwcU33kspyuqwIyAFYm2Oc6gHMERzabWotxXSvPP1WgVzK14D8Mrw%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
"length": 2,
"hostname": "46.149.110.67",
"status": 206,
"http_method": "GET",
"contenttype": "application/octet-stream",
"ua": "Microsoft-Delivery-Optimization/10.0",
"referrer": null
},
{
"srcport": 49915,
"srcip": "192.168.1.100",
"dstport": 80,
"dstip": "46.149.110.67",
"timestamp": "2026-04-16 22:29:12.101798+0000",
"uri": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983348&P2=404&P3=2&P4=ON9CsQXTX1GnMijC%2fAgylmXozyIbnmEe2cwcU33kspyuqwIyAFYm2Oc6gHMERzabWotxXSvPP1WgVzK14D8Mrw%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
"length": 648760,
"hostname": "46.149.110.67",
"status": 206,
"http_method": "GET",
"contenttype": "application/octet-stream",
"ua": "Microsoft-Delivery-Optimization/10.0",
"referrer": null
},
{
"srcport": 49917,
"srcip": "192.168.1.100",
"dstport": 80,
"dstip": "46.149.110.67",
"timestamp": "2026-04-16 22:29:12.274126+0000",
"uri": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983348&P2=404&P3=2&P4=ON9CsQXTX1GnMijC%2fAgylmXozyIbnmEe2cwcU33kspyuqwIyAFYm2Oc6gHMERzabWotxXSvPP1WgVzK14D8Mrw%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
"length": 1048576,
"hostname": "46.149.110.67",
"status": 206,
"http_method": "GET",
"contenttype": "application/octet-stream",
"ua": "Microsoft-Delivery-Optimization/10.0",
"referrer": null
}
],
"dns": [
{
"timestamp": "2026-04-16T22:26:22.942760+0000",
"flow_id": 1797326795585948,
"pcap_cnt": 54,
"event_type": "dns",
"src_ip": "192.168.1.100",
"src_port": 52087,
"dest_ip": "8.8.8.8",
"dest_port": 53,
"proto": "UDP",
"pkt_src": "wire/pcap",
"dns": {
"version": 2,
"type": "query",
"id": 51226,
"rrname": "i.pki.goog",
"rrtype": "A",
"tx_id": 0,
"opcode": 0
}
},
{
"timestamp": "2026-04-16T22:26:22.964708+0000",
"flow_id": 1797326795585948,
"pcap_cnt": 59,
"event_type": "dns",
"src_ip": "192.168.1.100",
"src_port": 52087,
"dest_ip": "8.8.8.8",
"dest_port": 53,
"proto": "UDP",
"pkt_src": "wire/pcap",
"dns": {
"version": 2,
"type": "answer",
"id": 51226,
"flags": "8180",
"qr": true,
"rd": true,
"ra": true,
"opcode": 0,
"rrname": "i.pki.goog",
"rrtype": "A",
"rcode": "NOERROR",
"answers": [
{
"rrname": "i.pki.goog",
"rrtype": "CNAME",
"ttl": 115,
"rdata": "pki-goog.l.google.com"
},
{
"rrname": "pki-goog.l.google.com",
"rrtype": "A",
"ttl": 300,
"rdata": "173.194.73.94"
}
],
"grouped": {
"A": [
"173.194.73.94"
],
"CNAME": [
"pki-goog.l.google.com"
]
}
}
},
{
"timestamp": "2026-04-16T22:26:22.942523+0000",
"flow_id": 1796307097018160,
"pcap_cnt": 53,
"event_type": "dns",
"src_ip": "192.168.1.100",
"src_port": 56333,
"dest_ip": "8.8.8.8",
"dest_port": 53,
"proto": "UDP",
"pkt_src": "wire/pcap",
"dns": {
"version": 2,
"type": "query",
"id": 30694,
"rrname": "i.pki.goog",
"rrtype": "HTTPS",
"tx_id": 0,
"opcode": 0
}
},
{
"timestamp": "2026-04-16T22:26:22.961515+0000",
"flow_id": 1796307097018160,
"pcap_cnt": 58,
"event_type": "dns",
"src_ip": "192.168.1.100",
"src_port": 56333,
"dest_ip": "8.8.8.8",
"dest_port": 53,
"proto": "UDP",
"pkt_src": "wire/pcap",
"dns": {
"version": 2,
"type": "answer",
"id": 30694,
"flags": "8180",
"qr": true,
"rd": true,
"ra": true,
"opcode": 0,
"rrname": "i.pki.goog",
"rrtype": "HTTPS",
"rcode": "NOERROR",
"answers": [
{
"rrname": "i.pki.goog",
"rrtype": "CNAME",
"ttl": 52,
"rdata": "pki-goog.l.google.com"
}
],
"grouped": {
"CNAME": [
"pki-goog.l.google.com"
]
},
"authorities": [
{
"rrname": "l.google.com",
"rrtype": "SOA",
"ttl": 60,
"soa": {
"mname": "ns1.google.com",
"rname": "dns-admin.google.com",
"serial": 900627266,
"refresh": 900,
"retry": 900,
"expire": 1800,
"minimum": 60
}
}
]
}
}
],
"ssh": [],
"fileinfo": [],
"eve_log_full_path": "/opt/CAPEv2/storage/analyses/35/logs/eve.json",
"alert_log_full_path": null,
"tls_log_full_path": null,
"http_log_full_path": null,
"file_log_full_path": null,
"ssh_log_full_path": null,
"dns_log_full_path": null
},
"url_analysis": {},
"procmemory": [],
"signatures": [
{
"name": "stealth_network",
"description": "Network activity detected but not expressed in monitor API logs",
"categories": [
"stealth"
],
"severity": 1,
"weight": 1,
"confidence": 100,
"references": [],
"data": [
{
"ip": "20.93.72.182"
},
{
"ip": "46.149.110.67"
},
{
"ip": "72.154.7.16"
},
{
"ip": "72.154.7.108"
},
{
"ip": "72.154.7.100"
},
{
"ip": "72.154.7.105"
},
{
"ip": "72.154.7.102"
},
{
"ip": "72.154.7.98"
},
{
"ip": "72.154.7.101"
},
{
"ip": "72.154.7.107"
},
{
"ip": "72.154.7.109"
},
{
"ip": "13.107.6.156"
},
{
"ip": "84.47.178.41"
},
{
"ip": "20.165.94.54"
},
{
"ip": "84.47.178.49"
},
{
"ip": "150.171.27.11"
},
{
"ip": "40.126.53.14"
},
{
"ip": "173.194.73.94"
},
{
"ip": "52.123.242.97"
},
{
"ip": "20.42.65.93"
},
{
"ip": "4.207.247.139"
},
{
"ip": "84.47.178.56"
},
{
"ip": "20.189.173.2"
},
{
"domain": "i.pki.goog"
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "static_pe_pdbpath",
"description": "The PE file contains a PDB path",
"categories": [
"static"
],
"severity": 1,
"weight": 1,
"confidence": 80,
"references": [
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
],
"data": [
{
"pdbpath": "c:\\dev\\sqlite\\dotnet\\obj\\2005\\Release\\System.Data.SQLite.pdb"
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "network_cnc_http",
"description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
"categories": [
"network",
"c2"
],
"severity": 2,
"weight": 1,
"confidence": 30,
"references": [],
"data": [
{
"ip_hostname": "HTTP connection was made to an IP address rather than domain name"
},
{
"suspicious_request": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com"
},
{
"suspicious_request": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983348&P2=404&P3=2&P4=ON9CsQXTX1GnMijC%2fAgylmXozyIbnmEe2cwcU33kspyuqwIyAFYm2Oc6gHMERzabWotxXSvPP1WgVzK14D8Mrw%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "network_http",
"description": "Performs some HTTP requests",
"categories": [
"network"
],
"severity": 2,
"weight": 1,
"confidence": 30,
"references": [],
"data": [
{
"url": "http://i.pki.goog/gsr1.crt"
},
{
"url": "http://i.pki.goog/r4.crt"
},
{
"url": "http://i.pki.goog/we2.crt"
},
{
"url": "http://i.pki.goog/gsr4.crt"
},
{
"url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com"
},
{
"url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983348&P2=404&P3=2&P4=ON9CsQXTX1GnMijC%2fAgylmXozyIbnmEe2cwcU33kspyuqwIyAFYm2Oc6gHMERzabWotxXSvPP1WgVzK14D8Mrw%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "binary_yara",
"description": "Binary file triggered multiple YARA rules",
"categories": [
"static"
],
"severity": 3,
"weight": 1,
"confidence": 80,
"references": [],
"data": [
{
"Binary triggered YARA rule": "NETDLLMicrosoft"
},
{
"Binary triggered YARA rule": "IsPE32"
},
{
"Binary triggered YARA rule": "IsNET_DLL"
},
{
"Binary triggered YARA rule": "IsDLL"
},
{
"Binary triggered YARA rule": "IsConsole"
},
{
"Binary triggered YARA rule": "HasDebugData"
},
{
"Binary triggered YARA rule": "Microsoft_Visual_Studio_NET"
},
{
"Binary triggered YARA rule": "Microsoft_Visual_C_v70_Basic_NET_additional"
},
{
"Binary triggered YARA rule": "Microsoft_Visual_C_Basic_NET"
},
{
"Binary triggered YARA rule": "Microsoft_Visual_Studio_NET_additional"
},
{
"Binary triggered YARA rule": "Microsoft_Visual_C_v70_Basic_NET"
},
{
"Binary triggered YARA rule": "NET_executable_"
},
{
"Binary triggered YARA rule": "NET_executable"
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "network_questionable_http_path",
"description": "Makes a suspicious HTTP request to a commonly exploitable directory with questionable file ext",
"categories": [
"network"
],
"severity": 3,
"weight": 1,
"confidence": 100,
"references": [],
"data": [
{
"url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com"
},
{
"url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983348&P2=404&P3=2&P4=ON9CsQXTX1GnMijC%2fAgylmXozyIbnmEe2cwcU33kspyuqwIyAFYm2Oc6gHMERzabWotxXSvPP1WgVzK14D8Mrw%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"
},
{
"url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983348&P2=404&P3=2&P4=ON9CsQXTX1GnMijC%2fAgylmXozyIbnmEe2cwcU33kspyuqwIyAFYm2Oc6gHMERzabWotxXSvPP1WgVzK14D8Mrw%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"
},
{
"url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983348&P2=404&P3=2&P4=ON9CsQXTX1GnMijC%2fAgylmXozyIbnmEe2cwcU33kspyuqwIyAFYm2Oc6gHMERzabWotxXSvPP1WgVzK14D8Mrw%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"
}
],
"new_data": [],
"alert": false,
"families": []
}
],
"malscore": 3.1,
"ttps": [
{
"signature": "network_cnc_http",
"ttps": [
"T1071"
],
"mbcs": [
"OB0004",
"B0033",
"OC0006",
"C0002"
]
},
{
"signature": "network_http",
"ttps": [
"T1071"
],
"mbcs": [
"OC0006",
"C0002"
]
},
{
"signature": "network_questionable_http_path",
"ttps": [
"T1071"
],
"mbcs": [
"OC0006",
"C0002"
]
},
{
"signature": "static_pe_pdbpath",
"ttps": [
"T1071"
],
"mbcs": [
"OC0006",
"C0002"
]
}
],
"malstatus": "Clean"
}