{ "statistics": { "processing": [ { "name": "AnalysisInfo", "time": 0.211 }, { "name": "BehaviorAnalysis", "time": 0.987 }, { "name": "Debug", "time": 0.005 }, { "name": "NetworkAnalysis", "time": 0.41 }, { "name": "UrlAnalysis", "time": 0.0 }, { "name": "script_log_processing", "time": 0.008 }, { "name": "ProcessMemory", "time": 0.004 } ], "signatures": [ { "name": "packer_themida", "time": 0.0 }, { "name": "stealth_network", "time": 0.0 }, { "name": "disable_driver_via_blocklist", "time": 0.0 }, { "name": "disable_driver_via_hvcidisallowedimages", "time": 0.0 }, { "name": "disable_hypervisor_protected_code_integrity", "time": 0.0 }, { "name": "pendingfilerenameoperations_Operations", "time": 0.0 }, { "name": "anomalous_deletefile", "time": 0.0 }, { "name": "antiav_360_libs", "time": 0.0 }, { "name": "antiav_ahnlab_libs", "time": 0.0 }, { "name": "antiav_avast_libs", "time": 0.0 }, { "name": "antiav_bitdefender_libs", "time": 0.0 }, { "name": "antiav_bullguard_libs", "time": 0.0 }, { "name": "antiav_emsisoft_libs", "time": 0.0 }, { "name": "antiav_qurb_libs", "time": 0.0 }, { "name": "antiav_servicestop", "time": 0.0 }, { "name": "antiav_apioverride_libs", "time": 0.0 }, { "name": "antidebug_guardpages", "time": 0.0 }, { "name": "antidebug_ntcreatethreadex", "time": 0.0 }, { "name": "antiav_nthookengine_libs", "time": 0.0 }, { "name": "antidebug_outputdebugstring", "time": 0.0 }, { "name": "antidebug_setunhandledexceptionfilter", "time": 0.0 }, { "name": "antidebug_windows", "time": 0.0 }, { "name": "antiemu_wine_func", "time": 0.0 }, { "name": "antisandbox_cuckoocrash", "time": 0.0 }, { "name": "antisandbox_foregroundwindows", "time": 0.0 }, { "name": "antisandbox_mouse_hook", "time": 0.0 }, { "name": "mouse_movement_detect", "time": 0.0 }, { "name": "antisandbox_sboxie_libs", "time": 0.0 }, { "name": "antisandbox_sboxie_objects", "time": 0.0 }, { "name": "antisandbox_script_timer", "time": 0.0 }, { "name": "antisandbox_sleep", "time": 0.0 }, { "name": "antisandbox_sunbelt_libs", "time": 0.0 }, { "name": "antisandbox_unhook", "time": 0.0 }, { "name": "antivm_directory_objects", "time": 0.0 }, { "name": "antivm_generic_disk", "time": 0.0 }, { "name": "antivm_generic_scsi", "time": 0.0 }, { "name": "antivm_generic_services", "time": 0.0 }, { "name": "antivm_generic_system", "time": 0.0 }, { "name": "antivm_checks_available_memory", "time": 0.0 }, { "name": "detect_virtualization_via_recent_files", "time": 0.0 }, { "name": "antivm_vbox_libs", "time": 0.0 }, { "name": "antivm_vbox_window", "time": 0.0 }, { "name": "antivm_vmware_events", "time": 0.0 }, { "name": "antivm_vmware_libs", "time": 0.0 }, { "name": "api_spamming", "time": 0.0 }, { "name": "api_uuidfromstringa", "time": 0.0 }, { "name": "bcdedit_command", "time": 0.0 }, { "name": "bootkit", "time": 0.0 }, { "name": "potential_overwrite_mbr", "time": 0.0 }, { "name": "suspicious_ioctl_scsipassthough", "time": 0.0 }, { "name": "suspicious_iocontrol_codes", "time": 0.0 }, { "name": "browser_needed", "time": 0.0 }, { "name": "regsvr32_squiblydoo_dll_load", "time": 0.0 }, { "name": "uac_bypass_cmstp", "time": 0.0 }, { "name": "uac_bypass_eventvwr", "time": 0.0 }, { "name": "uac_bypass_windows_Backup", "time": 0.0 }, { "name": "queries_computer_name", "time": 0.0 }, { "name": "queries_user_name", "time": 0.0 }, { "name": "creates_largekey", "time": 0.0 }, { "name": "creates_nullvalue", "time": 0.0 }, { "name": "access_windows_passwords_vault", "time": 0.0 }, { "name": "dump_lsa_via_windows_error_reporting", "time": 0.0 }, { "name": "lsass_credential_dumping", "time": 0.0 }, { "name": "critical_process", "time": 0.0 }, { "name": "cryptopool_domains", "time": 0.0 }, { "name": "dead_connect", "time": 0.0 }, { "name": "dead_link", "time": 0.0 }, { "name": "debugs_self", "time": 0.0 }, { "name": "decoy_image", "time": 0.0 }, { "name": "deletes_consolehost_history", "time": 0.0 }, { "name": "deletes_shadow_copies", "time": 0.0 }, { "name": "deletes_system_state_backup", "time": 0.0 }, { "name": "dep_bypass", "time": 0.0 }, { "name": "dep_disable", "time": 0.0 }, { "name": "disables_mappeddrives_autodisconnect", "time": 0.0 }, { "name": "disables_wfp", "time": 0.0 }, { "name": "add_windows_defender_exclusions", "time": 0.0 }, { "name": "dll_load_uncommon_file_types", "time": 0.0 }, { "name": "document_script_exe_drop", "time": 0.0 }, { "name": "guloader_apis", "time": 0.0 }, { "name": "driver_load", "time": 0.0 }, { "name": "dynamic_function_loading", "time": 0.0 }, { "name": "exec_crash", "time": 0.0 }, { "name": "process_creation_suspicious_location", "time": 0.0 }, { "name": "exploit_getbasekerneladdress", "time": 0.0 }, { "name": "exploit_gethaldispatchtable", "time": 0.0 }, { "name": "exploit_heapspray", "time": 0.0 }, { "name": "koadic_apis", "time": 0.0 }, { "name": "koadic_network_activity", "time": 0.0 }, { "name": "downloads_from_filehosting", "time": 0.0 }, { "name": "generic_phish", "time": 0.0 }, { "name": "http_request", "time": 0.0 }, { "name": "infostealer_browser", "time": 0.0 }, { "name": "infostealer_browser_password", "time": 0.0 }, { "name": "infostealer_cookies", "time": 0.0 }, { "name": "cryptbot_network", "time": 0.0 }, { "name": "infostealer_keylog", "time": 0.0 }, { "name": "masslogger_artifacts", "time": 0.0 }, { "name": "purplewave_network_activity", "time": 0.0 }, { "name": "quilclipper_behavior", "time": 0.0 }, { "name": "raccoon_behavior", "time": 0.0 }, { "name": "captures_screenshot", "time": 0.0 }, { "name": "vidar_behavior", "time": 0.0 }, { "name": "injection_createremotethread", "time": 0.0 }, { "name": "creates_suspended_process", "time": 0.0 }, { "name": "injection_explorer", "time": 0.0 }, { "name": "injection_needextension", "time": 0.0 }, { "name": "injection_network_traffic", "time": 0.0 }, { "name": "injection_runpe", "time": 0.0 }, { "name": "injection_themeinitapihook", "time": 0.0 }, { "name": "resumethread_remote_process", "time": 0.0 }, { "name": "injection_write_exe_process", "time": 0.0 }, { "name": "injection_write_process", "time": 0.0 }, { "name": "internet_dropper", "time": 0.0 }, { "name": "escalate_privilege_via_named_pipe", "time": 0.0 }, { "name": "ipc_namedpipe", "time": 0.0 }, { "name": "js_phish", "time": 0.0 }, { "name": "js_suspicious_redirect", "time": 0.0 }, { "name": "execute_binary_via_internet_explorer_exporter", "time": 0.0 }, { "name": "execute_binary_via_run_exe_helper_utility", "time": 0.0 }, { "name": "execute_ps_via_syncappvpublishingserver", "time": 0.0 }, { "name": "malicious_dynamic_function_loading", "time": 0.0 }, { "name": "encrypt_pcinfo", "time": 0.0 }, { "name": "encrypt_data_agenttesla_http", "time": 0.0 }, { "name": "encrypt_data_agentteslat2_http", "time": 0.0 }, { "name": "encrypt_data_nanocore", "time": 0.0 }, { "name": "reads_memory_remote_process", "time": 0.0 }, { "name": "mimics_filetime", "time": 0.0 }, { "name": "amsi_bypass_via_com_registry", "time": 0.0 }, { "name": "access_auto_logons_via_registry", "time": 0.0 }, { "name": "access_boot_key_via_registry", "time": 0.0 }, { "name": "create_suspicious_lnk_files", "time": 0.0 }, { "name": "credential_access_via_windows_credential_history", "time": 0.0 }, { "name": "dll_hijacking_via_microsoft_exchange", "time": 0.0 }, { "name": "dll_hijacking_via_waas_medic_svc_com_typelib", "time": 0.0 }, { "name": "execute_file_downloaded_via_openssh", "time": 0.0 }, { "name": "execute_safe_mode_from_suspicious_process", "time": 0.0 }, { "name": "execute_scripts_via_microsoft_management_console", "time": 0.0 }, { "name": "execute_suspicious_processes_via_windows_mssql_service", "time": 0.0 }, { "name": "execution_from_self_extracting_archive", "time": 0.0 }, { "name": "ip_address_discovery_via_trusted_program", "time": 0.0 }, { "name": "load_dll_via_control_panel", "time": 0.0 }, { "name": "network_connection_via_suspicious_process", "time": 0.0 }, { "name": "potential_location_discovery_via_unusual_process", "time": 0.0 }, { "name": "store_executable_registry", "time": 0.0 }, { "name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent", "time": 0.0 }, { "name": "suspicious_java_execution_via_win_scripts", "time": 0.0 }, { "name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File", "time": 0.0 }, { "name": "uses_restart_manager_for_suspicious_activities", "time": 0.0 }, { "name": "modify_desktop_wallpaper", "time": 0.0 }, { "name": "modify_zoneid_ads", "time": 0.0 }, { "name": "move_file_on_reboot", "time": 0.0 }, { "name": "multiple_useragents", "time": 0.0 }, { "name": "network_anomaly", "time": 0.0 }, { "name": "network_bind", "time": 0.0 }, { "name": "network_cnc_https_archive", "time": 0.0 }, { "name": "network_cnc_https_free_webshoting", "time": 0.0 }, { "name": "network_cnc_https_generic", "time": 0.0 }, { "name": "network_cnc_https_temp_urldns", "time": 0.0 }, { "name": "network_cnc_https_opensource", "time": 0.0 }, { "name": "network_cnc_https_pastesite", "time": 0.0 }, { "name": "network_cnc_https_payload", "time": 0.0 }, { "name": "network_cnc_https_serviceinterface", "time": 0.0 }, { "name": "network_cnc_https_socialmedia", "time": 0.0 }, { "name": "network_cnc_https_telegram", "time": 0.0 }, { "name": "network_cnc_https_tempstorage", "time": 0.0 }, { "name": "network_cnc_https_urlshortener", "time": 0.0 }, { "name": "network_cnc_https_useragent", "time": 0.0 }, { "name": "network_cnc_smtps_exfil", "time": 0.0 }, { "name": "network_cnc_smtps_generic", "time": 0.0 }, { "name": "network_dns_idn", "time": 0.0 }, { "name": "network_dns_suspicious_querytype", "time": 0.0 }, { "name": "network_dns_tunneling_request", "time": 0.0 }, { "name": "explorer_http", "time": 0.0 }, { "name": "network_fake_useragent", "time": 0.0 }, { "name": "legitimate_domain_abuse", "time": 0.0 }, { "name": "suspicious_communication_trusted_site", "time": 0.0 }, { "name": "network_tor", "time": 0.0 }, { "name": "office_com_load", "time": 0.0 }, { "name": "office_dotnet_load", "time": 0.0 }, { "name": "office_mshtml_load", "time": 0.0 }, { "name": "office_vb_load", "time": 0.0 }, { "name": "office_wmi_load", "time": 0.0 }, { "name": "office_cve2017_11882_network", "time": 0.0 }, { "name": "office_cve_2021_40444", "time": 0.0 }, { "name": "office_cve_2021_40444_m2", "time": 0.0 }, { "name": "office_flash_load", "time": 0.0 }, { "name": "office_postscript", "time": 0.0 }, { "name": "office_suspicious_processes", "time": 0.0 }, { "name": "persistence_via_autodial_dll_registry", "time": 0.0 }, { "name": "persistence_autorun", "time": 0.0 }, { "name": "persistence_autorun_tasks", "time": 0.0 }, { "name": "persistence_bootexecute", "time": 0.0 }, { "name": "persistence_registry_script", "time": 0.0 }, { "name": "powershell_download", "time": 0.0 }, { "name": "powershell_request", "time": 0.0 }, { "name": "createtoolhelp32snapshot_module_enumeration", "time": 0.0 }, { "name": "enumerates_running_processes", "time": 0.0 }, { "name": "process_interest", "time": 0.0 }, { "name": "process_needed", "time": 0.0 }, { "name": "mass_data_encryption", "time": 0.0 }, { "name": "ransomware_file_modifications", "time": 0.0 }, { "name": "nemty_network_activity", "time": 0.0 }, { "name": "nemty_note", "time": 0.0 }, { "name": "sodinokibi_behavior", "time": 0.0 }, { "name": "stop_ransomware_registry", "time": 0.0 }, { "name": "blackrat_apis", "time": 0.0 }, { "name": "blackrat_network_activity", "time": 0.0 }, { "name": "blackrat_registry_keys", "time": 0.0 }, { "name": "dcrat_behavior", "time": 0.0 }, { "name": "karagany_system_event_objects", "time": 0.0 }, { "name": "rat_luminosity", "time": 0.0 }, { "name": "rat_nanocore", "time": 0.0 }, { "name": "netwire_behavior", "time": 0.0 }, { "name": "obliquerat_network_activity", "time": 0.0 }, { "name": "orcusrat_behavior", "time": 0.0 }, { "name": "trochilusrat_apis", "time": 0.0 }, { "name": "recon_beacon", "time": 0.0 }, { "name": "recon_programs", "time": 0.0 }, { "name": "recon_systeminfo", "time": 0.0 }, { "name": "accesses_recyclebin", "time": 0.0 }, { "name": "remcos_shell_code_dynamic_wrapper_x", "time": 0.0 }, { "name": "script_created_process", "time": 0.0 }, { "name": "script_network_activity", "time": 0.0 }, { "name": "suspicious_js_script", "time": 0.0 }, { "name": "javascript_timer", "time": 0.0 }, { "name": "secure_login_phishing", "time": 0.0 }, { "name": "securityxploded_modules", "time": 0.0 }, { "name": "get_clipboard_data", "time": 0.0 }, { "name": "sets_autoconfig_url", "time": 0.0 }, { "name": "spoofs_procname", "time": 0.0 }, { "name": "stack_pivot", "time": 0.0 }, { "name": "stack_pivot_file_created", "time": 0.0 }, { "name": "stack_pivot_process_create", "time": 0.0 }, { "name": "set_clipboard_data", "time": 0.0 }, { "name": "stealth_childproc", "time": 0.0 }, { "name": "stealth_system_procname", "time": 0.0 }, { "name": "stealth_timeout", "time": 0.0 }, { "name": "stealth_window", "time": 0.0 }, { "name": "queries_keyboard_layout", "time": 0.0 }, { "name": "queries_locale_api", "time": 0.0 }, { "name": "terminates_remote_process", "time": 0.0 }, { "name": "uiautomationcore_load", "time": 0.0 }, { "name": "user_enum", "time": 0.0 }, { "name": "virus", "time": 0.0 }, { "name": "neshta_files", "time": 0.0 }, { "name": "neshta_regkeys", "time": 0.0 }, { "name": "webmail_phish", "time": 0.0 }, { "name": "persists_dev_util", "time": 0.0 }, { "name": "spawns_dev_util", "time": 0.0 }, { "name": "alters_windows_utility", "time": 0.0 }, { "name": "overwrites_accessibility_utility", "time": 0.0 }, { "name": "Potential_Lateral_Movement_Via_SMBEXEC", "time": 0.0 }, { "name": "potential_WebShell_Via_ScreenConnectServer", "time": 0.0 }, { "name": "uses_Microsoft_HTML_Help_Executable", "time": 0.0 }, { "name": "wiper_zeroedbytes", "time": 0.0 }, { "name": "wmi_create_process", "time": 0.0 }, { "name": "wmi_script_process", "time": 0.0 }, { "name": "antianalysis_tls_section", "time": 0.0 }, { "name": "antivirus_clamav", "time": 0.0 }, { "name": "antivirus_virustotal", "time": 0.0 }, { "name": "bad_certs", "time": 0.0 }, { "name": "bad_ssl_certs", "time": 0.0 }, { "name": "banker_zeus_p2p", "time": 0.004 }, { "name": "banker_zeus_url", "time": 0.0 }, { "name": "bot_athenahttp", "time": 0.003 }, { "name": "bot_dirtjumper", "time": 0.0 }, { "name": "bot_drive", "time": 0.005 }, { "name": "bot_drive2", "time": 0.004 }, { "name": "bot_madness", "time": 0.0 }, { "name": "phishing_kit_detected", "time": 0.0 }, { "name": "family_proxyback", "time": 0.0 }, { "name": "flare_capa_antianalysis", "time": 0.0 }, { "name": "flare_capa_collection", "time": 0.0 }, { "name": "flare_capa_communication", "time": 0.0 }, { "name": "flare_capa_compiler", "time": 0.0 }, { "name": "flare_capa_datamanipulation", "time": 0.0 }, { "name": "flare_capa_executable", "time": 0.0 }, { "name": "flare_capa_hostinteraction", "time": 0.0 }, { "name": "flare_capa_impact", "time": 0.0 }, { "name": "flare_capa_lib", "time": 0.0 }, { "name": "flare_capa_linking", "time": 0.0 }, { "name": "flare_capa_loadcode", "time": 0.0 }, { "name": "flare_capa_malwarefamily", "time": 0.0 }, { "name": "flare_capa_nursery", "time": 0.0 }, { "name": "flare_capa_persistence", "time": 0.0 }, { "name": "flare_capa_runtime", "time": 0.0 }, { "name": "flare_capa_targeting", "time": 0.0 }, { "name": "threatfox", "time": 0.0 }, { "name": "log4shell", "time": 0.0 }, { "name": "mimics_extension", "time": 0.0 }, { "name": "network_ip_exe", "time": 0.0 }, { "name": "network_dga", "time": 0.0 }, { "name": "network_dga_fraunhofer", "time": 0.0 }, { "name": "network_dyndns", "time": 0.007 }, { "name": "network_icmp", "time": 0.0 }, { "name": "network_irc", "time": 0.0 }, { "name": "network_open_proxy", "time": 0.0 }, { "name": "network_smtp", "time": 0.0 }, { "name": "network_torgateway", "time": 0.005 }, { "name": "origin_langid", "time": 0.0 }, { "name": "origin_resource_langid", "time": 0.0 }, { "name": "overlay", "time": 0.0 }, { "name": "packer_unknown_pe_section_name", "time": 0.0 }, { "name": "packer_aspack", "time": 0.0 }, { "name": "packer_aspirecrypt", "time": 0.004 }, { "name": "packer_bedsprotector", "time": 0.0 }, { "name": "packer_confuser", "time": 0.0 }, { "name": "packer_enigma", "time": 0.0 }, { "name": "packer_entropy", "time": 0.0 }, { "name": "packer_mpress", "time": 0.0 }, { "name": "packer_nate", "time": 0.0 }, { "name": "packer_nspack", "time": 0.0 }, { "name": "packer_smartassembly", "time": 0.0 }, { "name": "packer_spices", "time": 0.0 }, { "name": "packer_themida", "time": 0.0 }, { "name": "packer_titan", "time": 0.0 }, { "name": "packer_upx", "time": 0.0 }, { "name": "packer_vmprotect", "time": 0.0 }, { "name": "packer_yoda", "time": 0.0 }, { "name": "punch_plus_plus_pcres", "time": 0.0 }, { "name": "procmem_yara", "time": 0.0 }, { "name": "recon_checkip", "time": 0.0 }, { "name": "static_authenticode", "time": 0.0 }, { "name": "invalid_authenticode_signature", "time": 0.0 }, { "name": "static_dotnet_anomaly", "time": 0.0 }, { "name": "static_java", "time": 0.0 }, { "name": "static_pdf", "time": 0.0 }, { "name": "contains_pe_overlay", "time": 0.0 }, { "name": "static_pe_anomaly", "time": 0.0 }, { "name": "pe_compile_timestomping", "time": 0.0 }, { "name": "static_pe_pdbpath", "time": 0.0 }, { "name": "static_rat_config", "time": 0.0 }, { "name": "static_versioninfo_anomaly", "time": 0.0 }, { "name": "suricata_alert", "time": 0.0 }, { "name": "suspicious_html_body", "time": 0.0 }, { "name": "suspicious_html_name", "time": 0.0 }, { "name": "suspicious_html_title", "time": 0.0 }, { "name": "volatility_devicetree_1", "time": 0.0 }, { "name": "volatility_handles_1", "time": 0.0 }, { "name": "volatility_ldrmodules_1", "time": 0.0 }, { "name": "volatility_ldrmodules_2", "time": 0.0 }, { "name": "volatility_malfind_1", "time": 0.0 }, { "name": "volatility_malfind_2", "time": 0.0 }, { "name": "volatility_modscan_1", "time": 0.0 }, { "name": "volatility_svcscan_1", "time": 0.0 }, { "name": "volatility_svcscan_2", "time": 0.0 }, { "name": "volatility_svcscan_3", "time": 0.0 }, { "name": "whois_create", "time": 0.0 }, { "name": "accesses_mailslot", "time": 0.0 }, { "name": "accesses_netlogon_regkey", "time": 0.001 }, { "name": "accesses_public_folder", "time": 0.0 }, { "name": "accesses_sysvol", "time": 0.003 }, { "name": "writes_sysvol", "time": 0.0 }, { "name": "adds_admin_user", "time": 0.0 }, { "name": "adds_user", "time": 0.0 }, { "name": "overwrites_admin_password", "time": 0.0 }, { "name": "antianalysis_detectfile", "time": 0.012 }, { "name": "antianalysis_detectreg", "time": 0.134 }, { "name": "modify_attachment_manager", "time": 0.0 }, { "name": "antiav_detectfile", "time": 0.024 }, { "name": "antiav_detectreg", "time": 0.599 }, { "name": "antiav_srp", "time": 0.0 }, { "name": "antiav_whitespace", "time": 0.0 }, { "name": "antidebug_devices", "time": 0.001 }, { "name": "antiemu_windefend", "time": 0.004 }, { "name": "antiemu_wine_reg", "time": 0.0 }, { "name": "antisandbox_cuckoo_files", "time": 0.0 }, { "name": "antisandbox_fortinet_files", "time": 0.0 }, { "name": "antisandbox_joe_anubis_files", "time": 0.0 }, { "name": "antisandbox_sboxie_mutex", "time": 0.0 }, { "name": "antisandbox_sunbelt_files", "time": 0.004 }, { "name": "antisandbox_threattrack_files", "time": 0.0 }, { "name": "antivm_bochs_keys", "time": 0.005 }, { "name": "antivm_generic_bios", "time": 0.004 }, { "name": "antivm_generic_diskreg", "time": 0.013 }, { "name": "antivm_hyperv_keys", "time": 0.008 }, { "name": "antivm_parallels_keys", "time": 0.022 }, { "name": "antivm_recentdocs", "time": 0.0 }, { "name": "antivm_vbox_devices", "time": 0.001 }, { "name": "antivm_vbox_files", "time": 0.006 }, { "name": "antivm_vbox_keys", "time": 0.062 }, { "name": "antivm_vmware_devices", "time": 0.0 }, { "name": "antivm_vmware_files", "time": 0.007 }, { "name": "antivm_vmware_keys", "time": 0.036 }, { "name": "antivm_vmware_mutexes", "time": 0.0 }, { "name": "antivm_vpc_files", "time": 0.004 }, { "name": "antivm_vpc_keys", "time": 0.019 }, { "name": "antivm_vpc_mutex", "time": 0.0 }, { "name": "antivm_xen_keys", "time": 0.026 }, { "name": "asyncrat_mutex", "time": 0.0 }, { "name": "gulpix_behavior", "time": 0.0 }, { "name": "ketrican_regkeys", "time": 0.006 }, { "name": "okrum_mutexes", "time": 0.0 }, { "name": "banker_cridex", "time": 0.0 }, { "name": "geodo_banking_trojan", "time": 0.017 }, { "name": "banker_spyeye_mutexes", "time": 0.0 }, { "name": "banker_zeus_mutex", "time": 0.0 }, { "name": "bitcoin_opencl", "time": 0.0 }, { "name": "accesses_primary_patition", "time": 0.0 }, { "name": "direct_hdd_access", "time": 0.0 }, { "name": "enumerates_physical_drives", "time": 0.0 }, { "name": "physical_drive_access", "time": 0.0 }, { "name": "bot_russkill", "time": 0.0 }, { "name": "browser_addon", "time": 0.0 }, { "name": "chromium_browser_extension_directory", "time": 0.0 }, { "name": "browser_helper_object", "time": 0.0 }, { "name": "browser_security", "time": 0.005 }, { "name": "browser_startpage", "time": 0.0 }, { "name": "ie_disables_process_tab", "time": 0.0 }, { "name": "odbcconf_bypass", "time": 0.0 }, { "name": "squiblydoo_bypass", "time": 0.0 }, { "name": "squiblytwo_bypass", "time": 0.0 }, { "name": "bypass_chromium_protection", "time": 0.0 }, { "name": "bypass_firewall", "time": 0.011 }, { "name": "checks_uac_status", "time": 0.001 }, { "name": "uac_bypass_cmstpcom", "time": 0.0 }, { "name": "uac_bypass_delegateexecute_sdclt", "time": 0.0 }, { "name": "uac_bypass_fodhelper", "time": 0.0 }, { "name": "cape_extracted_content", "time": 0.0 }, { "name": "carberp_mutex", "time": 0.0 }, { "name": "clears_logs", "time": 0.0 }, { "name": "cmdline_obfuscation", "time": 0.0 }, { "name": "cmdline_switches", "time": 0.0 }, { "name": "cmdline_terminate", "time": 0.0 }, { "name": "cmdline_forfiles_wildcard", "time": 0.0 }, { "name": "cmdline_http_link", "time": 0.0 }, { "name": "cmdline_long_string", "time": 0.0 }, { "name": "cmdline_reversed_http_link", "time": 0.0 }, { "name": "long_commandline", "time": 0.0 }, { "name": "powershell_renamed_commandline", "time": 0.0 }, { "name": "copies_self", "time": 0.0 }, { "name": "credwiz_credentialaccess", "time": 0.0 }, { "name": "enables_wdigest", "time": 0.0 }, { "name": "vaultcmd_credentialaccess", "time": 0.0 }, { "name": "file_credential_store_access", "time": 0.005 }, { "name": "file_credential_store_write", "time": 0.0 }, { "name": "kerberos_credential_access_via_rubeus", "time": 0.0 }, { "name": "registry_credential_dumping", "time": 0.0 }, { "name": "registry_lsa_secrets_access", "time": 0.0 }, { "name": "comsvcs_credentialdump", "time": 0.0 }, { "name": "cryptomining_stratum_command", "time": 0.0 }, { "name": "cypherit_mutexes", "time": 0.0 }, { "name": "darkcomet_regkeys", "time": 0.006 }, { "name": "datop_loader", "time": 0.0 }, { "name": "deepfreeze_mutex", "time": 0.0 }, { "name": "deletes_executed_files", "time": 0.0 }, { "name": "disables_app_launch", "time": 0.0 }, { "name": "disables_auto_app_termination", "time": 0.0 }, { "name": "disables_appv_virtualization", "time": 0.0 }, { "name": "disables_backups", "time": 0.001 }, { "name": "disables_browser_warn", "time": 0.001 }, { "name": "disables_context_menus", "time": 0.004 }, { "name": "disables_cpl_disable", "time": 0.0 }, { "name": "disables_crashdumps", "time": 0.0 }, { "name": "disables_event_logging", "time": 0.0 }, { "name": "disables_folder_options", "time": 0.0 }, { "name": "disables_notificationcenter", "time": 0.0 }, { "name": "disables_power_options", "time": 0.005 }, { "name": "disables_restore_default_state", "time": 0.0 }, { "name": "disables_run_command", "time": 0.0 }, { "name": "disables_smartscreen", "time": 0.0 }, { "name": "disables_startmenu_search", "time": 0.0 }, { "name": "disables_system_restore", "time": 0.0 }, { "name": "disables_uac", "time": 0.0 }, { "name": "disables_wer", "time": 0.0 }, { "name": "disables_windows_defender", "time": 0.0 }, { "name": "disables_windows_defender_logging", "time": 0.0 }, { "name": "removes_windows_defender_contextmenu", "time": 0.0 }, { "name": "removes_windows_defender_updates", "time": 0.0 }, { "name": "windows_defender_powershell", "time": 0.0 }, { "name": "disables_windows_file_protection", "time": 0.0 }, { "name": "disables_windowsupdate", "time": 0.0 }, { "name": "disables_winfirewall", "time": 0.0 }, { "name": "adfind_domain_enumeration", "time": 0.0 }, { "name": "domain_enumeration_commands", "time": 0.0 }, { "name": "andromut_mutexes", "time": 0.0 }, { "name": "downloader_cabby", "time": 0.0 }, { "name": "phorpiex_mutexes", "time": 0.0 }, { "name": "protonbot_mutexes", "time": 0.0 }, { "name": "driver_filtermanager", "time": 0.0 }, { "name": "dropper", "time": 0.0 }, { "name": "dll_archive_execution", "time": 0.0 }, { "name": "lnk_archive_execution", "time": 0.0 }, { "name": "script_archive_execution", "time": 0.0 }, { "name": "excel4_macro_urls", "time": 0.0 }, { "name": "escalate_privilege_via_ntlm_relay", "time": 0.0 }, { "name": "spooler_access", "time": 0.0 }, { "name": "spooler_svc_start", "time": 0.0 }, { "name": "mapped_drives_uac", "time": 0.0 }, { "name": "hides_recycle_bin_icon", "time": 0.0 }, { "name": "apocalypse_stealer_file_behavior", "time": 0.0 }, { "name": "arkei_files", "time": 0.0 }, { "name": "azorult_mutexes", "time": 0.001 }, { "name": "infostealer_bitcoin", "time": 0.008 }, { "name": "cryptbot_files", "time": 0.004 }, { "name": "echelon_files", "time": 0.003 }, { "name": "infostealer_ftp", "time": 0.184 }, { "name": "infostealer_im", "time": 0.1 }, { "name": "infostealer_mail", "time": 0.023 }, { "name": "masslogger_files", "time": 0.0 }, { "name": "poullight_files", "time": 0.009 }, { "name": "purplewave_mutexes", "time": 0.0 }, { "name": "quilclipper_mutexes", "time": 0.0 }, { "name": "qulab_files", "time": 0.005 }, { "name": "qulab_mutexes", "time": 0.0 }, { "name": "asyncrat_mutex", "time": 0.0 }, { "name": "Evade_Execution_Via_ASPNet_Compiler", "time": 0.0 }, { "name": "Evade_Execute_Via_DeviceCredentialDeployment", "time": 0.0 }, { "name": "Evade_Execution_Via_Filter_Manager_Control", "time": 0.0 }, { "name": "Evade_Execution_Via_Intel_GFXDownloadWrapper", "time": 0.0 }, { "name": "execute_binary_via_appvlp", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_OpenSSH", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_PesterPSModule", "time": 0.0 }, { "name": "Execute_Binary_Via_ScriptRunner", "time": 0.0 }, { "name": "execute_binary_via_ttdinject", "time": 0.0 }, { "name": "Execute_Binary_Via_VisualStudioLiveShare", "time": 0.0 }, { "name": "Execute_Msiexec_Via_Explorer", "time": 0.0 }, { "name": "execute_remote_msi", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_runscripthelper", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_sqlps", "time": 0.0 }, { "name": "Indirect_Command_Execution_Via_ConsoleWindowHost", "time": 0.0 }, { "name": "Perform_Malicious_Activities_Via_Headless_Browser", "time": 0.0 }, { "name": "Register_DLL_Via_CertOC", "time": 0.0 }, { "name": "Register_DLL_Via_MSIEXEC", "time": 0.0 }, { "name": "Register_DLL_Via_Odbcconf", "time": 0.0 }, { "name": "Scriptlet_Proxy_Execution_Via_Pubprn", "time": 0.0 }, { "name": "ie_martian_children", "time": 0.0 }, { "name": "office_martian_children", "time": 0.0 }, { "name": "mimics_icon", "time": 0.0 }, { "name": "masquerade_process_name", "time": 0.014 }, { "name": "mimikatz_modules", "time": 0.0 }, { "name": "ms_office_cmd_rce", "time": 0.0 }, { "name": "mount_copy_to_webdav_share", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_legit_utilities", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_qemu", "time": 0.0 }, { "name": "suspicious_execution_via_dotnet_remoting", "time": 0.0 }, { "name": "dotnet_clr_usagelog_regkeys", "time": 0.0 }, { "name": "modify_hostfile", "time": 0.003 }, { "name": "modify_oem_information", "time": 0.0 }, { "name": "modify_security_center_warnings", "time": 0.0 }, { "name": "modify_uac_prompt", "time": 0.0 }, { "name": "network_dns_blockchain", "time": 0.004 }, { "name": "network_dns_opennic", "time": 0.001 }, { "name": "network_dns_paste_site", "time": 0.0 }, { "name": "network_dns_reverse_proxy", "time": 0.0 }, { "name": "network_dns_temp_file_storage", "time": 0.005 }, { "name": "network_dns_temp_urldns", "time": 0.0 }, { "name": "network_dns_url_shortener", "time": 0.001 }, { "name": "network_dns_doh_tls", "time": 0.004 }, { "name": "suspicious_tld", "time": 0.012 }, { "name": "network_tor_service", "time": 0.0 }, { "name": "office_code_page", "time": 0.0 }, { "name": "office_addinloading", "time": 0.0 }, { "name": "office_perfkey", "time": 0.0 }, { "name": "office_macro", "time": 0.0 }, { "name": "changes_trust_center_settings", "time": 0.0 }, { "name": "disables_vba_trust_access", "time": 0.0 }, { "name": "office_macro_autoexecution", "time": 0.0 }, { "name": "office_macro_ioc", "time": 0.0 }, { "name": "office_macro_malicious_prediction", "time": 0.0 }, { "name": "office_macro_suspicious", "time": 0.0 }, { "name": "rtf_aslr_bypass", "time": 0.0 }, { "name": "rtf_anomaly_characterset", "time": 0.0 }, { "name": "rtf_anomaly_version", "time": 0.0 }, { "name": "rtf_embedded_content", "time": 0.0 }, { "name": "rtf_embedded_office_file", "time": 0.0 }, { "name": "rtf_exploit_static", "time": 0.0 }, { "name": "office_security", "time": 0.0 }, { "name": "accesses_office_username", "time": 0.001 }, { "name": "office_anomalous_feature", "time": 0.0 }, { "name": "office_dde_command", "time": 0.0 }, { "name": "packer_armadillo_mutex", "time": 0.0 }, { "name": "packer_armadillo_regkey", "time": 0.005 }, { "name": "persistence_ads", "time": 0.0 }, { "name": "persistence_safeboot", "time": 0.0 }, { "name": "persistence_ifeo", "time": 0.0 }, { "name": "persistence_silent_process_exit", "time": 0.0 }, { "name": "persistence_rdp_registry", "time": 0.0 }, { "name": "persistence_rdp_shadowing", "time": 0.0 }, { "name": "persistence_service", "time": 0.0 }, { "name": "persistence_shim_database", "time": 0.0 }, { "name": "powerpool_mutexes", "time": 0.0 }, { "name": "powershell_scriptblock_logging", "time": 0.0 }, { "name": "powershell_command_suspicious", "time": 0.0 }, { "name": "powershell_history_save_mod", "time": 0.0 }, { "name": "powershell_renamed", "time": 0.0 }, { "name": "powershell_reversed", "time": 0.0 }, { "name": "powershell_variable_obfuscation", "time": 0.0 }, { "name": "prevents_safeboot", "time": 0.0 }, { "name": "cmdline_process_discovery", "time": 0.0 }, { "name": "cryptomix_mutexes", "time": 0.004 }, { "name": "dharma_mutexes", "time": 0.0 }, { "name": "ransomware_extensions", "time": 0.013 }, { "name": "ransomware_files", "time": 0.024 }, { "name": "fonix_mutexes", "time": 0.0 }, { "name": "gandcrab_mutexes", "time": 0.0 }, { "name": "germanwiper_mutexes", "time": 0.0 }, { "name": "medusalocker_mutexes", "time": 0.0 }, { "name": "medusalocker_regkeys", "time": 0.001 }, { "name": "nemty_mutexes", "time": 0.0 }, { "name": "nemty_regkeys", "time": 0.0 }, { "name": "pysa_mutexes", "time": 0.0 }, { "name": "ransomware_radamant", "time": 0.0 }, { "name": "ransomware_recyclebin", "time": 0.0 }, { "name": "revil_mutexes", "time": 0.001 }, { "name": "ransomware_revil_regkey", "time": 0.0 }, { "name": "satan_mutexes", "time": 0.004 }, { "name": "snake_ransom_mutexes", "time": 0.0 }, { "name": "stop_ransom_mutexes", "time": 0.0 }, { "name": "stop_ransomware_cmd", "time": 0.0 }, { "name": "ransomware_stopdjvu", "time": 0.0 }, { "name": "rat_beebus_mutexes", "time": 0.0 }, { "name": "blacknet_mutexes", "time": 0.0 }, { "name": "blackrat_mutexes", "time": 0.0 }, { "name": "crat_mutexes", "time": 0.003 }, { "name": "dcrat_files", "time": 0.0 }, { "name": "dcrat_mutexes", "time": 0.0 }, { "name": "rat_fynloski_mutexes", "time": 0.0 }, { "name": "limerat_mutexes", "time": 0.0 }, { "name": "limerat_regkeys", "time": 0.006 }, { "name": "lodarat_file_behavior", "time": 0.0 }, { "name": "modirat_behavior", "time": 0.004 }, { "name": "njrat_regkeys", "time": 0.0 }, { "name": "obliquerat_files", "time": 0.0 }, { "name": "obliquerat_mutexes", "time": 0.0 }, { "name": "parallax_mutexes", "time": 0.0 }, { "name": "rat_pcclient", "time": 0.005 }, { "name": "rat_plugx_mutexes", "time": 0.0 }, { "name": "rat_poisonivy_mutexes", "time": 0.0 }, { "name": "rat_quasar_mutexes", "time": 0.0 }, { "name": "ratsnif_mutexes", "time": 0.0 }, { "name": "rat_spynet", "time": 0.0 }, { "name": "venomrat_mutexes", "time": 0.005 }, { "name": "warzonerat_files", "time": 0.0 }, { "name": "warzonerat_regkeys", "time": 0.001 }, { "name": "xpertrat_files", "time": 0.0 }, { "name": "xpertrat_mutexes", "time": 0.004 }, { "name": "rat_xtreme_mutexes", "time": 0.0 }, { "name": "recon_fingerprint", "time": 0.006 }, { "name": "remcos_files", "time": 0.0 }, { "name": "remcos_mutexes", "time": 0.0 }, { "name": "remcos_regkeys", "time": 0.006 }, { "name": "rdptcp_key", "time": 0.0 }, { "name": "uses_rdp_clip", "time": 0.0 }, { "name": "uses_remote_desktop_session", "time": 0.0 }, { "name": "removes_networking_icon", "time": 0.0 }, { "name": "removes_pinned_programs", "time": 0.004 }, { "name": "removes_security_maintenance_icon", "time": 0.0 }, { "name": "removes_startmenu_defaults", "time": 0.0 }, { "name": "removes_username_startmenu", "time": 0.0 }, { "name": "spicyhotpot_behavior", "time": 0.0 }, { "name": "sniffer_winpcap", "time": 0.004 }, { "name": "spreading_autoruninf", "time": 0.0 }, { "name": "stealth_hidden_extension", "time": 0.0 }, { "name": "stealth_hiddenreg", "time": 0.0 }, { "name": "stealth_hide_notifications", "time": 0.0 }, { "name": "stealth_webhistory", "time": 0.0 }, { "name": "sysinternals_psexec", "time": 0.0 }, { "name": "sysinternals_tools", "time": 0.0 }, { "name": "language_check_registry", "time": 0.0 }, { "name": "tampers_etw", "time": 0.0 }, { "name": "lsa_tampering", "time": 0.0 }, { "name": "tampers_powershell_logging", "time": 0.0 }, { "name": "targeted_flame", "time": 0.004 }, { "name": "territorial_disputes_sigs", "time": 0.167 }, { "name": "trickbot_mutex", "time": 0.0 }, { "name": "fleercivet_mutex", "time": 0.0 }, { "name": "lokibot_mutexes", "time": 0.0 }, { "name": "ursnif_behavior", "time": 0.001 }, { "name": "uses_adfind", "time": 0.0 }, { "name": "uses_ms_protocol", "time": 0.0 }, { "name": "neshta_mutexes", "time": 0.0 }, { "name": "renamer_mutexes", "time": 0.0 }, { "name": "owa_web_shell_files", "time": 0.004 }, { "name": "web_shell_files", "time": 0.0 }, { "name": "web_shell_processes", "time": 0.0 }, { "name": "dotnet_csc_build", "time": 0.0 }, { "name": "mavinject_lolbin", "time": 0.0 }, { "name": "multiple_explorer_instances", "time": 0.0 }, { "name": "script_tool_executed", "time": 0.0 }, { "name": "suspicious_certutil_use", "time": 0.0 }, { "name": "suspicious_command_tools", "time": 0.004 }, { "name": "suspicious_mpcmdrun_use", "time": 0.0 }, { "name": "suspicious_ping_use", "time": 0.0 }, { "name": "uses_powershell_copyitem", "time": 0.0 }, { "name": "uses_windows_utilities", "time": 0.005 }, { "name": "uses_windows_utilities_appcmd", "time": 0.0 }, { "name": "uses_windows_utilities_csvde_ldifde", "time": 0.0 }, { "name": "uses_windows_utilities_cipher", "time": 0.0 }, { "name": "uses_windows_utilities_clickonce", "time": 0.0 }, { "name": "uses_windows_utilities_curl", "time": 0.0 }, { "name": "uses_windows_utilities_dsquery", "time": 0.0 }, { "name": "uses_windows_utilities_esentutl", "time": 0.0 }, { "name": "uses_windows_utilities_finger", "time": 0.0 }, { "name": "uses_windows_utilities_mode", "time": 0.0 }, { "name": "uses_windows_utilities_ntdsutil", "time": 0.0 }, { "name": "uses_windows_utilities_nltest", "time": 0.0 }, { "name": "uses_windows_utilities_xcopy", "time": 0.0 }, { "name": "wmic_command_suspicious", "time": 0.0 }, { "name": "scrcons_wmi_script_consumer", "time": 0.0 }, { "name": "allaple_mutexes", "time": 0.0 } ], "reporting": [ { "name": "BinGraph", "time": 0.0 } ] }, "info": { "version": "2.4-CAPE", "started": "2025-11-19 23:43:57", "ended": "2025-11-19 23:47:42", "duration": 225, "id": 11, "category": "file", "custom": "", "machine": { "id": 5, "status": "stopping", "name": "MalwareGuest", "label": "MalwareGuest", "platform": "windows", "manager": "Proxmox", "started_on": "2025-11-19 23:43:57", "shutdown_on": "2025-11-19 23:47:40" }, "package": "exe", "timeout": true, "tlp": null, "parent_sample": null, "options": { "interactive": "1", "nohuman": "yes" }, "source_url": null, "route": "internet", "user_id": 0, "CAPE_current_commit": "b8e0bcad685cdd750a8c54cd86745809ad1c320b" }, "behavior": { "processes": [ { "process_id": 2552, "process_name": "explorer.exe", "parent_id": 2516, "module_path": "C:\\Windows\\explorer.exe", "first_seen": "2025-11-19 20:41:11,999", "calls": [ { "timestamp": "2025-11-19 20:41:14,733", "thread_id": "560", "caller": "0x7ffecd44e842", "parentcaller": "0x7ffee34e16e9", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001f78" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 0 }, { "timestamp": "2025-11-19 20:41:21,936", "thread_id": "2744", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1 }, { "timestamp": "2025-11-19 20:41:21,936", "thread_id": "2824", "caller": "0x7ff736098fba", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 2 }, { "timestamp": "2025-11-19 20:41:21,936", "thread_id": "2824", "caller": "0x7ff736098fba", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "C2F03A33-21F5-47FA-B4BB-156362A2F239" }, { "name": "ClsContext", "value": "0x00000404", "pretty_value": "CLSCTX_LOCAL_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "6D5140C1-7436-11CE-8034-00AA006009FA" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 3 }, { "timestamp": "2025-11-19 20:41:22,014", "thread_id": "2768", "caller": "0x7ff73605c21a", "parentcaller": "0x7ff736042b6f", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "21CBC515-2DDE-4D66-8292-BA34BD25094A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 4 }, { "timestamp": "2025-11-19 20:41:22,014", "thread_id": "2768", "caller": "0x7ff73605c285", "parentcaller": "0x7ff736042b6f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 5 }, { "timestamp": "2025-11-19 20:41:22,014", "thread_id": "2768", "caller": "0x7ff73605c285", "parentcaller": "0x7ff736042b6f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001654" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6 }, { "timestamp": "2025-11-19 20:41:22,014", "thread_id": "2768", "caller": "0x7ff736081e2d", "parentcaller": "0x7ff73603c798", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rsaenh.dll" }, { "name": "BaseAddress", "value": "0x7ffedfb90000" } ], "repeated": 1, "id": 7 }, { "timestamp": "2025-11-19 20:41:22,014", "thread_id": "2768", "caller": "0x7ff73603dd72", "parentcaller": "0x7ff73603c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001174" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8 }, { "timestamp": "2025-11-19 20:41:22,014", "thread_id": "2768", "caller": "0x7ff73603dd72", "parentcaller": "0x7ff73603c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001174" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9 }, { "timestamp": "2025-11-19 20:41:22,264", "thread_id": "2744", "caller": "0x7ffecd44e842", "parentcaller": "0x7ffee34e16e9", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001f64" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10 }, { "timestamp": "2025-11-19 20:41:24,124", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 11 }, { "timestamp": "2025-11-19 20:41:24,124", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 12 }, { "timestamp": "2025-11-19 20:41:24,124", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001654" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\PoliceAssist.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 13 }, { "timestamp": "2025-11-19 20:41:24,124", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00001654" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000d34" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 14 }, { "timestamp": "2025-11-19 20:41:24,124", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001174" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\PoliceAssist.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15 }, { "timestamp": "2025-11-19 20:41:24,124", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000004d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e780000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0013a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16 }, { "timestamp": "2025-11-19 20:41:24,124", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e780000" }, { "name": "RegionSize", "value": "0x0013a000" } ], "repeated": 0, "id": 17 }, { "timestamp": "2025-11-19 20:41:24,124", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001174" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\PoliceAssist.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18 }, { "timestamp": "2025-11-19 20:41:24,124", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000004d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e780000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0013a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19 }, { "timestamp": "2025-11-19 20:41:24,124", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e780000" }, { "name": "RegionSize", "value": "0x0013a000" } ], "repeated": 0, "id": 20 }, { "timestamp": "2025-11-19 20:41:24,124", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001174" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\PoliceAssist.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 21 }, { "timestamp": "2025-11-19 20:41:24,124", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000004d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e780000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0013a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 22 }, { "timestamp": "2025-11-19 20:41:24,124", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e780000" }, { "name": "RegionSize", "value": "0x0013a000" } ], "repeated": 0, "id": 23 }, { "timestamp": "2025-11-19 20:41:24,124", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001174" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\PoliceAssist.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24 }, { "timestamp": "2025-11-19 20:41:24,124", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000004d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e780000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0013a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25 }, { "timestamp": "2025-11-19 20:41:24,124", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e780000" }, { "name": "RegionSize", "value": "0x0013a000" } ], "repeated": 0, "id": 26 }, { "timestamp": "2025-11-19 20:41:24,124", "thread_id": "2768", "caller": "0x7ff735ffafc1", "parentcaller": "0x7ff73603de65", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 27 }, { "timestamp": "2025-11-19 20:41:29,139", "thread_id": "2800", "caller": "0x7ffecd44e842", "parentcaller": "0x7ffee34e16e9", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c98" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 28 }, { "timestamp": "2025-11-19 20:41:29,905", "thread_id": "2768", "caller": "0x7ff7360423a8", "parentcaller": "0x7ff736042e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001f78" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\PoliceAssist.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 29 }, { "timestamp": "2025-11-19 20:41:29,905", "thread_id": "2768", "caller": "0x7ff7360423a8", "parentcaller": "0x7ff736042e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00001180" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e780000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0012f000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 30 }, { "timestamp": "2025-11-19 20:41:29,905", "thread_id": "2768", "caller": "0x7ff7360423a8", "parentcaller": "0x7ff736042e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e780000" }, { "name": "RegionSize", "value": "0x0012f000" } ], "repeated": 0, "id": 31 }, { "timestamp": "2025-11-19 20:41:29,983", "thread_id": "2768", "caller": "0x7ff73605b354", "parentcaller": "0x7ff73605b12e", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 32 }, { "timestamp": "2025-11-19 20:41:29,983", "thread_id": "2800", "caller": "0x7ff7360599ca", "parentcaller": "0x7ff73605a869", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 33 }, { "timestamp": "2025-11-19 20:41:29,983", "thread_id": "2276", "caller": "0x7ffecd44d59f", "parentcaller": "0x7ffecd48c80c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001f68" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 34 }, { "timestamp": "2025-11-19 20:41:29,983", "thread_id": "2800", "caller": "0x7ff73605bdd2", "parentcaller": "0x7ff73605a52a", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c98" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 35 }, { "timestamp": "2025-11-19 20:41:29,983", "thread_id": "2996", "caller": "0x7ff73601c67f", "parentcaller": "0x7ff73601c407", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00001764" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df4df430000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x003e3000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 36 }, { "timestamp": "2025-11-19 20:41:29,983", "thread_id": "2800", "caller": "0x7ff73605a552", "parentcaller": "0x7ff736059a4f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 37 }, { "timestamp": "2025-11-19 20:41:29,983", "thread_id": "2800", "caller": "0x7ff73605a552", "parentcaller": "0x7ff736059a4f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001654" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 38 }, { "timestamp": "2025-11-19 20:41:29,983", "thread_id": "2800", "caller": "0x7ff73605a65f", "parentcaller": "0x7ff736059a4f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 39 }, { "timestamp": "2025-11-19 20:41:29,983", "thread_id": "2800", "caller": "0x7ff73605a65f", "parentcaller": "0x7ff736059a4f", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4234D49B-0245-4DF3-B780-3893943456E1" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "000214E6-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 40 }, { "timestamp": "2025-11-19 20:41:29,983", "thread_id": "2996", "caller": "0x7ff73601a878", "parentcaller": "0x7ff73601a7ba", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df4df430000" }, { "name": "RegionSize", "value": "0x003e3000" } ], "repeated": 0, "id": 41 }, { "timestamp": "2025-11-19 20:41:29,983", "thread_id": "2800", "caller": "0x7ff73605a65f", "parentcaller": "0x7ff736059a4f", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "02C5CCF3-805F-4654-A7B7-340A74335365" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 42 }, { "timestamp": "2025-11-19 20:41:29,983", "thread_id": "2624", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00001654" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 43 }, { "timestamp": "2025-11-19 20:41:29,999", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736058f2b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 44 }, { "timestamp": "2025-11-19 20:41:29,999", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736058f2b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 45 }, { "timestamp": "2025-11-19 20:41:29,999", "thread_id": "2624", "caller": "0x7ffee10e3013", "parentcaller": "0x7ffecd49672b", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000017c8" }, { "name": "HandleName", "value": "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\GameDVR\\KnownGameList.bin" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x80\\xb1\\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 46 }, { "timestamp": "2025-11-19 20:41:30,014", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 47 }, { "timestamp": "2025-11-19 20:41:30,014", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 48 }, { "timestamp": "2025-11-19 20:41:30,014", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c98" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\policeassist.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 49 }, { "timestamp": "2025-11-19 20:41:30,014", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00001f64" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e780000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0013a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 50 }, { "timestamp": "2025-11-19 20:41:30,014", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\SystemResources\\policeassist.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 51 }, { "timestamp": "2025-11-19 20:41:30,014", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e780000" }, { "name": "RegionSize", "value": "0x0013a000" } ], "repeated": 0, "id": 52 }, { "timestamp": "2025-11-19 20:41:30,014", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c98" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\policeassist.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 53 }, { "timestamp": "2025-11-19 20:41:30,014", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00001f64" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e780000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0013a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 54 }, { "timestamp": "2025-11-19 20:41:30,014", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\SystemResources\\policeassist.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 55 }, { "timestamp": "2025-11-19 20:41:30,014", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e780000" }, { "name": "RegionSize", "value": "0x0013a000" } ], "repeated": 0, "id": 56 }, { "timestamp": "2025-11-19 20:41:30,030", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001f64" }, { "name": "DesiredAccess", "value": "0x00100000", "pretty_value": "SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Explorer" }, { "name": "ShareAccess", "value": "0" } ], "repeated": 0, "id": 57 }, { "timestamp": "2025-11-19 20:41:30,030", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "317D06E8-5F24-433D-BDF7-79CE68D8ABC2" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "EC5EC8A9-C395-4314-9C77-54D7A935FF70" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 58 }, { "timestamp": "2025-11-19 20:41:30,030", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 59 }, { "timestamp": "2025-11-19 20:41:30,030", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 60 }, { "timestamp": "2025-11-19 20:41:30,045", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 61 }, { "timestamp": "2025-11-19 20:41:30,045", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 62 }, { "timestamp": "2025-11-19 20:41:30,061", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 63 }, { "timestamp": "2025-11-19 20:41:30,061", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 64 }, { "timestamp": "2025-11-19 20:41:30,077", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 65 }, { "timestamp": "2025-11-19 20:41:30,077", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 66 }, { "timestamp": "2025-11-19 20:41:30,092", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 67 }, { "timestamp": "2025-11-19 20:41:30,092", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 68 }, { "timestamp": "2025-11-19 20:41:30,108", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 69 }, { "timestamp": "2025-11-19 20:41:30,108", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 70 }, { "timestamp": "2025-11-19 20:41:30,124", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 71 }, { "timestamp": "2025-11-19 20:41:30,124", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 72 }, { "timestamp": "2025-11-19 20:41:30,139", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 73 }, { "timestamp": "2025-11-19 20:41:30,139", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 74 }, { "timestamp": "2025-11-19 20:41:30,155", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 75 }, { "timestamp": "2025-11-19 20:41:30,155", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 76 }, { "timestamp": "2025-11-19 20:41:30,170", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 77 }, { "timestamp": "2025-11-19 20:41:30,170", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 78 }, { "timestamp": "2025-11-19 20:41:30,186", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 79 }, { "timestamp": "2025-11-19 20:41:30,186", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 80 }, { "timestamp": "2025-11-19 20:41:30,608", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736058f2b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 81 }, { "timestamp": "2025-11-19 20:41:30,608", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736058f2b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 82 }, { "timestamp": "2025-11-19 20:41:30,608", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 83 }, { "timestamp": "2025-11-19 20:41:30,608", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 84 }, { "timestamp": "2025-11-19 20:41:30,608", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 85 }, { "timestamp": "2025-11-19 20:41:30,608", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 86 }, { "timestamp": "2025-11-19 20:41:34,999", "thread_id": "2744", "caller": "0x7ffecd44e842", "parentcaller": "0x7ffee34e16e9", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001f60" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 87 }, { "timestamp": "2025-11-19 20:41:56,983", "thread_id": "3512", "caller": "0x7ffee10bacfe", "parentcaller": "0x7ffee2f93b78", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\usermgrproxy" }, { "name": "DllBase", "value": "0x7ffedb0e0000" } ], "repeated": 0, "id": 88 }, { "timestamp": "2025-11-19 20:41:56,983", "thread_id": "3512", "caller": "0x7ffee34e0db0", "parentcaller": "0x7ffee34a0391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedb0e0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 89 }, { "timestamp": "2025-11-19 20:43:25,327", "thread_id": "3512", "caller": "0x7ffee10bacfe", "parentcaller": "0x7ffee2f93b78", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\ShellCommonCommonProxyStub" }, { "name": "DllBase", "value": "0x7ffecb1d0000" } ], "repeated": 0, "id": 90 }, { "timestamp": "2025-11-19 20:43:25,327", "thread_id": "3512", "caller": "0x7ffee34e0db0", "parentcaller": "0x7ffee34a0391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffecb1d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 91 }, { "timestamp": "2025-11-19 20:43:27,592", "thread_id": "2840", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee3496068", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0aa18000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 92 }, { "timestamp": "2025-11-19 20:43:27,592", "thread_id": "2840", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee34964ab", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0aa1b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 93 }, { "timestamp": "2025-11-19 20:43:27,592", "thread_id": "2840", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee34964ab", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0aa6b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 94 }, { "timestamp": "2025-11-19 20:43:27,592", "thread_id": "2840", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee3496068", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0aaa2000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 95 }, { "timestamp": "2025-11-19 20:43:27,592", "thread_id": "2840", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee34964ab", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0aaae000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 96 }, { "timestamp": "2025-11-19 20:43:27,592", "thread_id": "2840", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee3496068", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x090ad000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 97 }, { "timestamp": "2025-11-19 20:43:27,592", "thread_id": "2840", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee34964ab", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x090b1000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 98 }, { "timestamp": "2025-11-19 20:43:27,592", "thread_id": "2840", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee34964ab", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0909c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 99 }, { "timestamp": "2025-11-19 20:43:29,545", "thread_id": "560", "caller": "0x7ffee10bacfe", "parentcaller": "0x7ffee2f93b78", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\WindowsInternal.ComposableShell.DesktopHosting" }, { "name": "DllBase", "value": "0x7ffed4520000" } ], "repeated": 0, "id": 100 }, { "timestamp": "2025-11-19 20:43:29,545", "thread_id": "560", "caller": "0x7ffee34e0db0", "parentcaller": "0x7ffee34a0391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed4520000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 101 }, { "timestamp": "2025-11-19 20:43:29,545", "thread_id": "560", "caller": "0x7ffee10bacfe", "parentcaller": "0x7ffee2f93b78", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\execmodelproxy" }, { "name": "DllBase", "value": "0x7ffed1150000" } ], "repeated": 0, "id": 102 }, { "timestamp": "2025-11-19 20:43:29,545", "thread_id": "560", "caller": "0x7ffee34e0db0", "parentcaller": "0x7ffee34a0391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed1150000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 103 }, { "timestamp": "2025-11-19 20:43:29,545", "thread_id": "560", "caller": "0x7ffee10bacfe", "parentcaller": "0x7ffee2f93b78", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CapabilityAccessManagerClient" }, { "name": "DllBase", "value": "0x7ffec7750000" } ], "repeated": 0, "id": 104 }, { "timestamp": "2025-11-19 20:43:29,545", "thread_id": "560", "caller": "0x7ffee34e0db0", "parentcaller": "0x7ffee34a0391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffec7750000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 105 }, { "timestamp": "2025-11-19 20:43:29,545", "thread_id": "560", "caller": "0x7ffee10bacfe", "parentcaller": "0x7ffee2f93b78", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.CloudStore.Schema.Shell" }, { "name": "DllBase", "value": "0x7ffece180000" } ], "repeated": 0, "id": 106 }, { "timestamp": "2025-11-19 20:43:29,545", "thread_id": "560", "caller": "0x7ffee34e0db0", "parentcaller": "0x7ffee34a0391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffece180000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 107 }, { "timestamp": "2025-11-19 20:43:29,545", "thread_id": "560", "caller": "0x7ffee10bacfe", "parentcaller": "0x7ffee2f93b78", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.StateRepositoryBroker" }, { "name": "DllBase", "value": "0x7ffecf560000" } ], "repeated": 0, "id": 108 }, { "timestamp": "2025-11-19 20:43:29,545", "thread_id": "560", "caller": "0x7ffee34e0db0", "parentcaller": "0x7ffee34a0391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffecf560000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 109 }, { "timestamp": "2025-11-19 20:43:31,264", "thread_id": "560", "caller": "0x7ffee167b8ed", "parentcaller": "0x7ffee1895341", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000009b8", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffee18953d0" }, { "name": "Parameter", "value": "0x095d7bb0" }, { "name": "CreationFlags", "value": "0x00000004" }, { "name": "ThreadId", "value": "1856" }, { "name": "ProcessId", "value": "2552" } ], "repeated": 0, "id": 110 }, { "timestamp": "2025-11-19 20:43:31,264", "thread_id": "560", "caller": "0x7ffee110f430", "parentcaller": "0x7ffee1895379", "category": "threading", "api": "NtResumeThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000009b8" }, { "name": "SuspendCount", "value": "1" }, { "name": "ThreadId", "value": "1856" }, { "name": "ProcessId", "value": "2552" } ], "repeated": 0, "id": 111 }, { "timestamp": "2025-11-19 20:43:31,264", "thread_id": "1856", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee2f96b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.CloudStore.Schema.Shell" }, { "name": "DllBase", "value": "0x7ffece180000" } ], "repeated": 0, "id": 112 }, { "timestamp": "2025-11-19 20:43:31,264", "thread_id": "1856", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee2f96b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.CloudStore.Schema.Shell.dll" }, { "name": "BaseAddress", "value": "0x7ffece180000" } ], "repeated": 0, "id": 113 }, { "timestamp": "2025-11-19 20:43:31,264", "thread_id": "1856", "caller": "0x7ffed3c588d0", "parentcaller": "0x7ffed3cfa7f7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "50CE75BC-766C-4136-BF5E-9197AA23569E" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 114 }, { "timestamp": "2025-11-19 20:43:31,280", "thread_id": "1856", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000b0c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 115 }, { "timestamp": "2025-11-19 20:43:31,280", "thread_id": "1856", "caller": "0x7ffed3c7f105", "parentcaller": "0x7ffed3c75e39", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "6A602D88-1FC3-47CC-ABC4-D1F9BCBFC569" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "EFE84C27-AFA6-485D-A70A-AA2AB5CB6C67" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 116 }, { "timestamp": "2025-11-19 20:43:31,280", "thread_id": "1856", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee2f66d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00001764" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 117 }, { "timestamp": "2025-11-19 20:43:31,280", "thread_id": "1856", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 118 }, { "timestamp": "2025-11-19 20:43:31,280", "thread_id": "1856", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee2f96b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\usermgrproxy" }, { "name": "DllBase", "value": "0x7ffedb0e0000" } ], "repeated": 0, "id": 119 } ], "threads": [ "560", "2744", "2824", "2768", "2800", "2276", "2996", "2624", "4032", "3512", "2840", "1856" ], "environ": { "UserName": "Admin", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "C:\\Windows\\Explorer.EXE", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff735ff0000", "MainExeSize": "0x00546000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 1324, "process_name": "PoliceAssist.exe", "parent_id": 1800, "module_path": "C:\\Temp\\PoliceAssist.exe", "first_seen": "2025-11-19 20:41:21,510", "calls": [ { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee34dc2c7", "parentcaller": "0x7ffee34dc05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsock32" }, { "name": "BaseAddress", "value": "0x7ffedc860000" }, { "name": "InitRoutine", "value": "0x7ffedc861310" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 0 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee16742c4", "parentcaller": "0x7ffee1673b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000001e0" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Windows\\WindowsShell.Manifest" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee1674459", "parentcaller": "0x7ffee1673b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001dc" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000001e0" }, { "name": "FileName", "value": "C:\\Windows\\WindowsShell.Manifest" } ], "repeated": 0, "id": 2 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee16744a6", "parentcaller": "0x7ffee1673b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001dc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00800000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee166e7a0", "parentcaller": "0x7ffee1675084", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000001d8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 4 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee166e7f0", "parentcaller": "0x7ffee1675084", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000001d8" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 5 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee166e818", "parentcaller": "0x7ffee1675084", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d8" } ], "repeated": 0, "id": 6 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee1686103", "parentcaller": "0x7ffee16751de", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000001e0" }, { "name": "HandleName", "value": "C:\\Windows\\WindowsShell.Manifest" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee1674f83", "parentcaller": "0x7ffee167468c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001e0" } ], "repeated": 0, "id": 8 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee1674f8a", "parentcaller": "0x7ffee167468c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001dc" } ], "repeated": 0, "id": 9 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee167468c", "parentcaller": "0x7ffee1673b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00800000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 10 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x008ef000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee1672a0e", "parentcaller": "0x7ffecf603a53", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "ThemePropScrollBarCtl" }, { "name": "Atom", "value": "0x0000c020" } ], "repeated": 0, "id": 12 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee1672a0e", "parentcaller": "0x7ffecf603a6d", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "MicrosoftTabletPenServiceProperty" }, { "name": "Atom", "value": "0x0000c021" } ], "repeated": 0, "id": 13 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffecf603bac", "parentcaller": "0x7ffecf603add", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001022" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 14 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee10be76a", "parentcaller": "0x7ffecf603aeb", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "LPK" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 15 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee10be76a", "parentcaller": "0x7ffecf603b03", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "GDI32" }, { "name": "ModuleHandle", "value": "0x7ffee1850000" } ], "repeated": 0, "id": 16 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecf603b1e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1850000" }, { "name": "FunctionName", "value": "LpkEditControl" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1875740" } ], "repeated": 0, "id": 17 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecf603b1e", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\\comctl32" }, { "name": "BaseAddress", "value": "0x7ffecf5a0000" }, { "name": "InitRoutine", "value": "0x7ffecf639e70" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 18 }, { "timestamp": "2025-11-19 20:41:21,682", "thread_id": "1884", "caller": "0x7ffee34dc2c7", "parentcaller": "0x7ffee34dc05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\psapi" }, { "name": "BaseAddress", "value": "0x7ffee15f0000" }, { "name": "InitRoutine", "value": "0x7ffee15f1110" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 19 }, { "timestamp": "2025-11-19 20:41:21,698", "thread_id": "1884", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x008f0000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 20 }, { "timestamp": "2025-11-19 20:41:21,698", "thread_id": "1884", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\comdlg32" }, { "name": "BaseAddress", "value": "0x7ffee1510000" }, { "name": "InitRoutine", "value": "0x7ffee1543a50" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 21 }, { "timestamp": "2025-11-19 20:41:21,698", "thread_id": "1884", "caller": "0x7ffee34e507d", "parentcaller": "0x7ffee34e4c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 22 }, { "timestamp": "2025-11-19 20:41:21,698", "thread_id": "1652", "caller": "0x7ffee34ceb32", "parentcaller": "0x7ffee34877c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 2, "id": 23 }, { "timestamp": "2025-11-19 20:41:21,698", "thread_id": "1680", "caller": "0x7ffee34e507d", "parentcaller": "0x7ffee34e4c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 3, "id": 24 }, { "timestamp": "2025-11-19 20:41:21,713", "thread_id": "1884", "caller": "0x1400d415d", "parentcaller": "0x1400cdb19", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 25 }, { "timestamp": "2025-11-19 20:41:21,713", "thread_id": "1884", "caller": "0x1400cf0e0", "parentcaller": "0x1400cd9e4", "category": "misc", "api": "HeapCreate", "status": true, "return": "0x05430000", "arguments": [ { "name": "Options", "value": "0" }, { "name": "InitialSize", "value": "0x00001000" }, { "name": "MaximumSize", "value": "0x00000000" } ], "repeated": 0, "id": 26 }, { "timestamp": "2025-11-19 20:41:21,713", "thread_id": "1884", "caller": "0x1400cda54", "parentcaller": "0x00000000", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x008b219a", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Temp\\PoliceAssist.exe\" " } ], "repeated": 0, "id": 27 }, { "timestamp": "2025-11-19 20:41:21,713", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x1400d0aa0", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05432000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 28 }, { "timestamp": "2025-11-19 20:41:21,713", "thread_id": "1884", "caller": "0x1400d5319", "parentcaller": "0x1400d0b23", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05433000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 29 }, { "timestamp": "2025-11-19 20:41:21,713", "thread_id": "1884", "caller": "0x1400d37d5", "parentcaller": "0x1400cad15", "category": "hooking", "api": "SetUnhandledExceptionFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "ExceptionFilter", "value": "0x1400d3780" } ], "repeated": 0, "id": 30 }, { "timestamp": "2025-11-19 20:41:21,713", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x1400aa4ba", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x052c0000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 31 }, { "timestamp": "2025-11-19 20:41:21,713", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x1400aa4ba", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x052c0000" }, { "name": "RegionSize", "value": "0x00012000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 32 }, { "timestamp": "2025-11-19 20:41:21,713", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbba6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05435000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 33 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x00000202" } ], "repeated": 0, "id": 34 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 35 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 36 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "42" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1884" } ], "repeated": 0, "id": 37 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "kernel.appcore.dll" } ], "repeated": 0, "id": 38 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 39 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000001d0" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 40 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000228" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000001d0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 41 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000228" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedea70000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 42 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedea7f000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 43 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedea75000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 44 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" } ], "repeated": 0, "id": 45 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d0" } ], "repeated": 0, "id": 46 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedea75000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 47 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x7ffedea70000" } ], "repeated": 0, "id": 48 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\kernel.appcore" }, { "name": "BaseAddress", "value": "0x7ffedea70000" }, { "name": "InitRoutine", "value": "0x7ffedea73f10" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 49 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee3271000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 50 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee3271000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 51 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 52 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000022c" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "bcryptPrimitives.dll" } ], "repeated": 0, "id": 53 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000022c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1390000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00082000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 54 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee13f7000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 55 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000022c" } ], "repeated": 0, "id": 56 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee13f7000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 57 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x7ffee1390000" } ], "repeated": 0, "id": 58 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 59 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "ValueName", "value": "STE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE" } ], "repeated": 0, "id": 60 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000230" } ], "repeated": 0, "id": 61 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 62 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "ValueName", "value": "Enabled" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled" } ], "repeated": 0, "id": 63 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000234" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa" } ], "repeated": 0, "id": 64 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000234" }, { "name": "ValueName", "value": "FipsAlgorithmPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 65 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "ValueName", "value": "MDMEnabled" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled" } ], "repeated": 0, "id": 66 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000230" } ], "repeated": 0, "id": 67 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" } ], "repeated": 0, "id": 68 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" } ], "repeated": 0, "id": 69 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000234" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 70 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000234" }, { "name": "IoControlCode", "value": "0x00390008", "pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "A\\xce\\xde\\xc9\\x8b\\x05\\xca\\xcc\\x1b\\x1f\\x1a\\x08\\xfd\\x8b\\xb7}\\xa8D}\n\\x94\\x85\\xe6\\x0b\\xeb\\xd8\\x0f\\x91|\\xf6\\xedx\\x01eq}\\xedk \\x177\\x11\\x17m\\xc2\\x1a]\\x08" } ], "repeated": 0, "id": 71 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\bcryptprimitives" }, { "name": "BaseAddress", "value": "0x7ffee1390000" }, { "name": "InitRoutine", "value": "0x7ffee13c8b60" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 72 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee345e000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 73 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee345e000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 74 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x008f4000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 75 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee3271000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 76 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee3271000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 77 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\uxtheme" }, { "name": "DllBase", "value": "0x7ffede5b0000" } ], "repeated": 0, "id": 78 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "BaseAddress", "value": "0x7ffede5b0000" } ], "repeated": 0, "id": 79 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffede5b0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\uxtheme.dll" }, { "name": "dwFlags", "value": "0x00000008" } ], "repeated": 0, "id": 80 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "uxtheme.dll" }, { "name": "ModuleHandle", "value": "0x7ffede5b0000" }, { "name": "FunctionName", "value": "ThemeInitApiHook" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffede5bcde0" } ], "repeated": 0, "id": 81 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 82 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xee\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 83 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000023c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 84 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000023c" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 85 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000240" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000023c" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" } ], "repeated": 0, "id": 86 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000240" }, { "name": "ValueName", "value": "AppsUseLightTheme" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme" } ], "repeated": 0, "id": 87 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000240" } ], "repeated": 0, "id": 88 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000023c" } ], "repeated": 0, "id": 89 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000240" } ], "repeated": 0, "id": 90 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 91 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000240" } ], "repeated": 0, "id": 92 }, { "timestamp": "2025-11-19 20:41:21,729", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "OleDropTargetInterface" }, { "name": "Atom", "value": "0x0000c01e" } ], "repeated": 0, "id": 93 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "OleDropTargetMarshalHwnd" }, { "name": "Atom", "value": "0x0000c01f" } ], "repeated": 0, "id": 94 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001bba4", "parentcaller": "0x1400cad9c", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" } ], "repeated": 0, "id": 95 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001bbb4", "parentcaller": "0x1400cad9c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlGetVersion" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34ae4e0" } ], "repeated": 0, "id": 96 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400df2b1", "parentcaller": "0x1400cad9c", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "user32" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" } ], "repeated": 0, "id": 97 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400df2c1", "parentcaller": "0x1400cad9c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" }, { "name": "FunctionName", "value": "RemoveClipboardFormatListener" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1f9cef0" } ], "repeated": 0, "id": 98 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400df2e1", "parentcaller": "0x1400cad9c", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "user32" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" } ], "repeated": 0, "id": 99 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400df2f1", "parentcaller": "0x1400cad9c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" }, { "name": "FunctionName", "value": "AddClipboardFormatListener" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1f9cf10" } ], "repeated": 0, "id": 100 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400ae373", "parentcaller": "0x1400ae49c", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x008cf5d0", "arguments": [ { "name": "FileName", "value": "C:\\Temp" }, { "name": "FirstCreateTimeLow", "value": "0x0c174eca" }, { "name": "FirstCreateTimeHigh", "value": "0x01dc598a" } ], "repeated": 0, "id": 101 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400ae387", "parentcaller": "0x1400ae49c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000240" } ], "repeated": 0, "id": 102 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400ae3ef", "parentcaller": "0x1400ae49c", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x008ced90", "arguments": [ { "name": "FileName", "value": "C:\\Temp\\PoliceAssist.exe" }, { "name": "FirstCreateTimeLow", "value": "0x779d2e27" }, { "name": "FirstCreateTimeHigh", "value": "0x01dc59a8" } ], "repeated": 0, "id": 103 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400ae402", "parentcaller": "0x1400ae49c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000240" } ], "repeated": 0, "id": 104 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x140020820", "parentcaller": "0x1400201a7", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x1401313b0", "arguments": [ { "name": "Module", "value": "0x00000000" }, { "name": "Type", "value": "#10" }, { "name": "Name", "value": ">AUTOHOTKEY SCRIPT<" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 105 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x140020837", "parentcaller": "0x1400201a7", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000301f", "arguments": [ { "name": "ModuleHandle", "value": "0x00000000" }, { "name": "ResourceInfo", "value": "0x1401313b0" } ], "repeated": 0, "id": 106 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14002084e", "parentcaller": "0x1400201a7", "category": "misc", "api": "LoadResource", "status": true, "return": "0x140136168", "arguments": [ { "name": "Module", "value": "0x00000000" }, { "name": "ResourceInfo", "value": "0x1401313b0" } ], "repeated": 0, "id": 107 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x1400aa8e0", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05437000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 108 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400111be", "parentcaller": "0x140010c92", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 12, "id": 109 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x1400aa4ba", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x052d2000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 110 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbba6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0543a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 111 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14006bd5a", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "user32" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" } ], "repeated": 0, "id": 112 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14006bd6e", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernel32" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" } ], "repeated": 0, "id": 113 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14006bd82", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "comctl32" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" } ], "repeated": 0, "id": 114 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14006bd96", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "gdi32" }, { "name": "ModuleHandle", "value": "0x7ffee1850000" } ], "repeated": 0, "id": 115 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14006be38", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" }, { "name": "FunctionName", "value": "ReadProcessMemory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 116 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14006be38", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" }, { "name": "FunctionName", "value": "ReadProcessMemory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee167c800" } ], "repeated": 0, "id": 117 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14006be38", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" }, { "name": "FunctionName", "value": "CloseHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 118 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14006be38", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" }, { "name": "FunctionName", "value": "CloseHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1684bf0" } ], "repeated": 0, "id": 119 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14006be38", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" }, { "name": "FunctionName", "value": "OpenProcess" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 120 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14006be38", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" }, { "name": "FunctionName", "value": "OpenProcess" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee167b0f0" } ], "repeated": 0, "id": 121 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x140020668", "parentcaller": "0x1400053b0", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 122 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x140005722", "parentcaller": "0x1400053c5", "category": "windows", "api": "FindWindowW", "status": false, "return": "0x00000000", "arguments": [ { "name": "ClassName", "value": "AutoHotkey" }, { "name": "WindowName", "value": "C:\\Temp\\PoliceAssist.exe" } ], "repeated": 0, "id": 123 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af45e", "parentcaller": "0x14001f01c", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x1401313c0", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#159" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 124 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af473", "parentcaller": "0x14001f01c", "category": "misc", "api": "LoadResource", "status": true, "return": "0x140139188", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x1401313c0" } ], "repeated": 0, "id": 125 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af51b", "parentcaller": "0x14001f01c", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x140131320", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#2" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 126 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af52f", "parentcaller": "0x14001f01c", "category": "misc", "api": "LoadResource", "status": true, "return": "0x140132500", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x140131320" } ], "repeated": 0, "id": 127 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af551", "parentcaller": "0x14001f01c", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000025a8", "arguments": [ { "name": "ModuleHandle", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x140131320" } ], "repeated": 0, "id": 128 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 129 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 130 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 131 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 132 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 133 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 134 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 135 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 136 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1879000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 137 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1879000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 138 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af45e", "parentcaller": "0x14001f045", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x1401313c0", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#159" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 139 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af473", "parentcaller": "0x14001f045", "category": "misc", "api": "LoadResource", "status": true, "return": "0x140139188", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x1401313c0" } ], "repeated": 0, "id": 140 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af51b", "parentcaller": "0x14001f045", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x140131310", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 141 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af52f", "parentcaller": "0x14001f045", "category": "misc", "api": "LoadResource", "status": true, "return": "0x140131458", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x140131310" } ], "repeated": 0, "id": 142 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x1400af551", "parentcaller": "0x14001f045", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000010a8", "arguments": [ { "name": "ModuleHandle", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x140131310" } ], "repeated": 0, "id": 143 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x140131380", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "Type", "value": "#4" }, { "name": "Name", "value": "#211" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 144 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "misc", "api": "LoadResource", "status": true, "return": "0x140135d70", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x140131380" } ], "repeated": 0, "id": 145 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 146 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000240" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "MSCTF.dll" } ], "repeated": 0, "id": 147 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000240" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee21a0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00114000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 148 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee22b0000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 149 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee227b000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 150 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000240" } ], "repeated": 0, "id": 151 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee227b000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 152 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 153 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\MSCTF" }, { "name": "DllBase", "value": "0x7ffee21a0000" } ], "repeated": 0, "id": 154 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\msctf" }, { "name": "BaseAddress", "value": "0x7ffee21a0000" }, { "name": "InitRoutine", "value": "0x7ffee21e0760" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 155 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1dc9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 156 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1dc9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 157 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" } ], "repeated": 0, "id": 158 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 159 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1dc9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 160 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1dc9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 161 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 162 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 163 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000024c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" } ], "repeated": 0, "id": 164 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000024c" }, { "name": "ValueName", "value": "ru-RU" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU" } ], "repeated": 0, "id": 165 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 166 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000024c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" } ], "repeated": 0, "id": 167 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000024c" }, { "name": "ValueName", "value": "ru-RU" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU" } ], "repeated": 0, "id": 168 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 169 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000024c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" } ], "repeated": 0, "id": 170 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000024c" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US" } ], "repeated": 0, "id": 171 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 172 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000024c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" } ], "repeated": 0, "id": 173 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000024c" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US" } ], "repeated": 0, "id": 174 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 175 }, { "timestamp": "2025-11-19 20:41:21,745", "thread_id": "1884", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "L\\xc5\\x04\\x00\\x00\\x00\\x00\\x00\\xc2o\\x01\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x8f\\x94\\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 176 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000024c" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Sessions\\1\\Windows\\ThemeSection" } ], "repeated": 0, "id": 177 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000024c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00830000" }, { "name": "SectionOffset", "value": "0x007fe750" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 178 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000250" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Windows\\Theme2433617381" } ], "repeated": 0, "id": 179 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000254" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Sessions\\1\\Windows\\Theme150788276" } ], "repeated": 0, "id": 180 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00830000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 181 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 182 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000250" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05760000" }, { "name": "SectionOffset", "value": "0x007fee70" }, { "name": "ViewSize", "value": "0x00100000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 183 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000254" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00830000" }, { "name": "SectionOffset", "value": "0x007fee70" }, { "name": "ViewSize", "value": "0x00005000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 184 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" } ], "repeated": 0, "id": 185 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34793b0" } ], "repeated": 0, "id": 186 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee350fc40" } ], "repeated": 0, "id": 187 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34b2460" } ], "repeated": 0, "id": 188 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34efa30" } ], "repeated": 0, "id": 189 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34ccbd0" } ], "repeated": 0, "id": 190 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34d3410" } ], "repeated": 0, "id": 191 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "MutexName", "value": "Local\\SM0:1324:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 192 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 193 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 194 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 195 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 196 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 197 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 198 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 199 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 200 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 201 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 202 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 203 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05752000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 204 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000258" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" } ], "repeated": 0, "id": 205 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000258" }, { "name": "ValueName", "value": "ResourcePolicies" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies" } ], "repeated": 0, "id": 206 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 207 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00840000" }, { "name": "RegionSize", "value": "0x0001a000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 208 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00840000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 209 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05754000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 210 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05755000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 211 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 212 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 213 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 214 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 215 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000419", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000419" }, { "name": "LanguageName", "value": "Russian" } ], "repeated": 0, "id": 216 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x008fa000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 217 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x008ff000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 218 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink" }, { "name": "Handle", "value": "0x00000248" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink" } ], "repeated": 0, "id": 219 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000248" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "67" }, { "name": "MaxValueNameLength", "value": "27" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 220 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00904000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 221 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Lucida Sans Unicode" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Lucida Sans Unicode" } ], "repeated": 0, "id": 222 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "1" }, { "name": "ValueName", "value": "Microsoft Sans Serif" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft Sans Serif" } ], "repeated": 0, "id": 223 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "2" }, { "name": "ValueName", "value": "Tahoma" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Tahoma" } ], "repeated": 0, "id": 224 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "3" }, { "name": "ValueName", "value": "Segoe UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI" } ], "repeated": 0, "id": 225 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "4" }, { "name": "ValueName", "value": "Segoe UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI Bold" } ], "repeated": 0, "id": 226 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "5" }, { "name": "ValueName", "value": "Segoe UI Light" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI Light" } ], "repeated": 0, "id": 227 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "6" }, { "name": "ValueName", "value": "Segoe UI Semilight" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI Semilight" } ], "repeated": 0, "id": 228 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "7" }, { "name": "ValueName", "value": "Segoe UI Semibold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI Semibold" } ], "repeated": 0, "id": 229 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "8" }, { "name": "ValueName", "value": "Ebrima" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Ebrima" } ], "repeated": 0, "id": 230 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "9" }, { "name": "ValueName", "value": "Ebrima Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Ebrima Bold" } ], "repeated": 0, "id": 231 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "10" }, { "name": "ValueName", "value": "Gadugi" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Gadugi" } ], "repeated": 0, "id": 232 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "11" }, { "name": "ValueName", "value": "Gadugi Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Gadugi Bold" } ], "repeated": 0, "id": 233 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "12" }, { "name": "ValueName", "value": "Khmer UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Khmer UI" } ], "repeated": 0, "id": 234 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "13" }, { "name": "ValueName", "value": "Khmer UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Khmer UI Bold" } ], "repeated": 0, "id": 235 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "14" }, { "name": "ValueName", "value": "Lao UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Lao UI" } ], "repeated": 0, "id": 236 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "15" }, { "name": "ValueName", "value": "Lao UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Lao UI Bold" } ], "repeated": 0, "id": 237 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "16" }, { "name": "ValueName", "value": "Leelawadee" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Leelawadee" } ], "repeated": 0, "id": 238 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "17" }, { "name": "ValueName", "value": "Leelawadee Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Leelawadee Bold" } ], "repeated": 0, "id": 239 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "18" }, { "name": "ValueName", "value": "Leelawadee UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Leelawadee UI" } ], "repeated": 0, "id": 240 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "19" }, { "name": "ValueName", "value": "Leelawadee UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Leelawadee UI Bold" } ], "repeated": 0, "id": 241 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "20" }, { "name": "ValueName", "value": "Nirmala UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Nirmala UI" } ], "repeated": 0, "id": 242 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "21" }, { "name": "ValueName", "value": "Nirmala UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Nirmala UI Bold" } ], "repeated": 0, "id": 243 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "22" }, { "name": "ValueName", "value": "Nirmala UI Semilight" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Nirmala UI Semilight" } ], "repeated": 0, "id": 244 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "23" }, { "name": "ValueName", "value": "MingLiU" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MingLiU" } ], "repeated": 0, "id": 245 }, { "timestamp": "2025-11-19 20:41:21,760", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "24" }, { "name": "ValueName", "value": "PMingLiU" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\PMingLiU" } ], "repeated": 0, "id": 246 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "25" }, { "name": "ValueName", "value": "MingLiU_HKSCS" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MingLiU_HKSCS" } ], "repeated": 0, "id": 247 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "26" }, { "name": "ValueName", "value": "MingLiU-ExtB" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MingLiU-ExtB" } ], "repeated": 0, "id": 248 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "27" }, { "name": "ValueName", "value": "PMingLiU-ExtB" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\PMingLiU-ExtB" } ], "repeated": 0, "id": 249 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "28" }, { "name": "ValueName", "value": "MingLiU_HKSCS-ExtB" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MingLiU_HKSCS-ExtB" } ], "repeated": 0, "id": 250 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "29" }, { "name": "ValueName", "value": "Microsoft JhengHei" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei" } ], "repeated": 0, "id": 251 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "30" }, { "name": "ValueName", "value": "Microsoft JhengHei Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei Bold" } ], "repeated": 0, "id": 252 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "31" }, { "name": "ValueName", "value": "Microsoft JhengHei UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei UI" } ], "repeated": 0, "id": 253 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "32" }, { "name": "ValueName", "value": "Microsoft JhengHei UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei UI Bold" } ], "repeated": 0, "id": 254 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "33" }, { "name": "ValueName", "value": "Microsoft JhengHei UI Light" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei UI Light" } ], "repeated": 0, "id": 255 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "34" }, { "name": "ValueName", "value": "SimSun" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\SimSun" } ], "repeated": 0, "id": 256 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "35" }, { "name": "ValueName", "value": "SimSun-ExtB" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\SimSun-ExtB" } ], "repeated": 0, "id": 257 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "36" }, { "name": "ValueName", "value": "NSimSun" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\NSimSun" } ], "repeated": 0, "id": 258 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "37" }, { "name": "ValueName", "value": "Microsoft YaHei" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei" } ], "repeated": 0, "id": 259 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "38" }, { "name": "ValueName", "value": "Microsoft YaHei Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei Bold" } ], "repeated": 0, "id": 260 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "39" }, { "name": "ValueName", "value": "Microsoft YaHei UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei UI" } ], "repeated": 0, "id": 261 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "40" }, { "name": "ValueName", "value": "Microsoft YaHei UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei UI Bold" } ], "repeated": 0, "id": 262 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "41" }, { "name": "ValueName", "value": "Microsoft YaHei UI Light" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei UI Light" } ], "repeated": 0, "id": 263 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "42" }, { "name": "ValueName", "value": "Yu Gothic UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI" } ], "repeated": 0, "id": 264 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "43" }, { "name": "ValueName", "value": "Yu Gothic UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI Bold" } ], "repeated": 0, "id": 265 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "44" }, { "name": "ValueName", "value": "Yu Gothic UI Light" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI Light" } ], "repeated": 0, "id": 266 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "45" }, { "name": "ValueName", "value": "Yu Gothic UI Semilight" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI Semilight" } ], "repeated": 0, "id": 267 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "46" }, { "name": "ValueName", "value": "Yu Gothic UI Semibold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI Semibold" } ], "repeated": 0, "id": 268 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "47" }, { "name": "ValueName", "value": "Meiryo" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Meiryo" } ], "repeated": 0, "id": 269 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "48" }, { "name": "ValueName", "value": "Meiryo Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Meiryo Bold" } ], "repeated": 0, "id": 270 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "49" }, { "name": "ValueName", "value": "Meiryo UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Meiryo UI" } ], "repeated": 0, "id": 271 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "50" }, { "name": "ValueName", "value": "Meiryo UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Meiryo UI Bold" } ], "repeated": 0, "id": 272 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "51" }, { "name": "ValueName", "value": "MS Gothic" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS Gothic" } ], "repeated": 0, "id": 273 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "52" }, { "name": "ValueName", "value": "MS PGothic" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS PGothic" } ], "repeated": 0, "id": 274 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "53" }, { "name": "ValueName", "value": "MS UI Gothic" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS UI Gothic" } ], "repeated": 0, "id": 275 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "54" }, { "name": "ValueName", "value": "MS Mincho" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS Mincho" } ], "repeated": 0, "id": 276 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "55" }, { "name": "ValueName", "value": "MS PMincho" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS PMincho" } ], "repeated": 0, "id": 277 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "56" }, { "name": "ValueName", "value": "Batang" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Batang" } ], "repeated": 0, "id": 278 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "57" }, { "name": "ValueName", "value": "BatangChe" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\BatangChe" } ], "repeated": 0, "id": 279 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "58" }, { "name": "ValueName", "value": "Dotum" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Dotum" } ], "repeated": 0, "id": 280 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "59" }, { "name": "ValueName", "value": "DotumChe" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\DotumChe" } ], "repeated": 0, "id": 281 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "60" }, { "name": "ValueName", "value": "Gulim" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Gulim" } ], "repeated": 0, "id": 282 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "61" }, { "name": "ValueName", "value": "GulimChe" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\GulimChe" } ], "repeated": 0, "id": 283 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "62" }, { "name": "ValueName", "value": "Gungsuh" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Gungsuh" } ], "repeated": 0, "id": 284 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "63" }, { "name": "ValueName", "value": "GungsuhChe" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\GungsuhChe" } ], "repeated": 0, "id": 285 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "64" }, { "name": "ValueName", "value": "Malgun Gothic" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Malgun Gothic" } ], "repeated": 0, "id": 286 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "65" }, { "name": "ValueName", "value": "Malgun Gothic Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Malgun Gothic Bold" } ], "repeated": 0, "id": 287 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "66" }, { "name": "ValueName", "value": "Malgun Gothic Semilight" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Malgun Gothic Semilight" } ], "repeated": 0, "id": 288 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Index", "value": "67" }, { "name": "ValueName", "value": "" }, { "name": "Type", "value": "0", "pretty_value": "REG_NONE" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\" } ], "repeated": 0, "id": 289 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" } ], "repeated": 0, "id": 290 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00907000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 291 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000419", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000419" }, { "name": "LanguageName", "value": "Russian" } ], "repeated": 0, "id": 292 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0" }, { "name": "Handle", "value": "0x00000248" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0" } ], "repeated": 0, "id": 293 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "ValueName", "value": "Disable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable" } ], "repeated": 0, "id": 294 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "ValueName", "value": "DataFilePath" }, { "name": "Data", "value": "C:\\Windows\\Fonts\\staticcache.dat" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath" } ], "repeated": 0, "id": 295 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" } ], "repeated": 0, "id": 296 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000009" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Fonts\\staticcache.dat" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 297 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0090e000" }, { "name": "RegionSize", "value": "0x00015000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 298 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00923000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 299 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34d3410" } ], "repeated": 0, "id": 300 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "MutexName", "value": "Local\\SM0:1324:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 301 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 302 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 303 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 304 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 305 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 306 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 307 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 308 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 309 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 310 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" } ], "repeated": 0, "id": 311 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" } ], "repeated": 0, "id": 312 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 313 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "TextShaping.dll" } ], "repeated": 0, "id": 314 }, { "timestamp": "2025-11-19 20:41:21,776", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Temp\\TextShaping.dll" } ], "repeated": 0, "id": 315 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" } ], "repeated": 0, "id": 316 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000248" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 317 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000258" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000248" }, { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" } ], "repeated": 0, "id": 318 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000258" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed6980000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000ac000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 319 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed69cf000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 320 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 321 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" } ], "repeated": 0, "id": 322 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed69cf000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 323 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\TextShaping" }, { "name": "DllBase", "value": "0x7ffed6980000" } ], "repeated": 0, "id": 324 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\TextShaping" }, { "name": "BaseAddress", "value": "0x7ffed6980000" }, { "name": "InitRoutine", "value": "0x7ffed69ca790" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 325 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0ef5000" }, { "name": "ModuleName", "value": "gdi32full.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 326 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0ef5000" }, { "name": "ModuleName", "value": "gdi32full.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 327 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0092c000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 328 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00931000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 329 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" }, { "name": "Handle", "value": "0x00000258" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" } ], "repeated": 0, "id": 330 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "Plane1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1" } ], "repeated": 0, "id": 331 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "Plane2" }, { "name": "Data", "value": "SimSun-ExtB" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2" } ], "repeated": 0, "id": 332 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "Plane3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3" } ], "repeated": 0, "id": 333 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "Plane4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4" } ], "repeated": 0, "id": 334 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "Plane5" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5" } ], "repeated": 0, "id": 335 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "Plane6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6" } ], "repeated": 0, "id": 336 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "Plane7" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7" } ], "repeated": 0, "id": 337 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "Plane8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8" } ], "repeated": 0, "id": 338 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "Plane9" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9" } ], "repeated": 0, "id": 339 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "Plane10" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10" } ], "repeated": 0, "id": 340 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "Plane11" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11" } ], "repeated": 0, "id": 341 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "Plane12" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12" } ], "repeated": 0, "id": 342 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "Plane13" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13" } ], "repeated": 0, "id": 343 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "Plane14" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14" } ], "repeated": 0, "id": 344 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "Plane15" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15" } ], "repeated": 0, "id": 345 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "Plane16" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16" } ], "repeated": 0, "id": 346 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 347 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" }, { "name": "Handle", "value": "0x00000258" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" } ], "repeated": 0, "id": 348 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000258" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "4" }, { "name": "MaxSubKeyLength", "value": "13" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 349 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "MingLiU" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\MingLiU" } ], "repeated": 0, "id": 350 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "MingLiU_HKSCS" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\MingLiU_HKSCS" } ], "repeated": 0, "id": 351 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "PMingLiU" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\PMingLiU" } ], "repeated": 0, "id": 352 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "Index", "value": "3" }, { "name": "Name", "value": "SimSun" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\SimSun" } ], "repeated": 0, "id": 353 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000258" }, { "name": "SubKey", "value": "Segoe UI" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe UI" } ], "repeated": 0, "id": 354 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 355 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffecf5a0000" } ], "repeated": 0, "id": 356 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffecf5a0000", "arguments": [ { "name": "lpLibFileName", "value": "comctl32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 357 }, { "timestamp": "2025-11-19 20:41:21,791", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "RegisterClassNameW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf625670" } ], "repeated": 0, "id": 358 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000084" }, { "name": "ValueName", "value": "000603xx" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "kernel32.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx" } ], "repeated": 0, "id": 359 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x7ffee1660000" } ], "repeated": 0, "id": 360 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee1660000", "arguments": [ { "name": "lpLibFileName", "value": "kernel32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 361 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" }, { "name": "FunctionName", "value": "SortGetHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee166a190" } ], "repeated": 0, "id": 362 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" }, { "name": "FunctionName", "value": "SortCloseHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1680170" } ], "repeated": 0, "id": 363 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000258" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 364 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000025c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000258" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\SortDefault.nls" } ], "repeated": 0, "id": 365 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000025c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06050000" }, { "name": "SectionOffset", "value": "0x007fef00" }, { "name": "ViewSize", "value": "0x00338000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 366 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 367 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 368 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000258" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids" } ], "repeated": 0, "id": 369 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000258" }, { "name": "ValueName", "value": "ru-RU" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru-RU" } ], "repeated": 0, "id": 370 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000258" }, { "name": "ValueName", "value": "ru" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{0000004A-57EE-1E5C-00B4-D0000BB1E11E}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru" } ], "repeated": 0, "id": 371 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "user32" }, { "name": "BaseAddress", "value": "0x7ffee1f70000" } ], "repeated": 0, "id": 372 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06390000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 373 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06390000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 374 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffecf7ea000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 375 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffecf7ea000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 376 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 377 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffecf7ea000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 378 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffecf7ea000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 379 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\CTF\\Compatibility\\PoliceAssist.exe" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\PoliceAssist.exe" } ], "repeated": 0, "id": 380 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 381 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 382 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 383 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 384 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 385 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 386 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000025c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 387 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000025c" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 388 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 389 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll.Config" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 390 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000025c" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 391 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 392 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32" }, { "name": "BaseAddress", "value": "0x7ffecf5a0000" } ], "repeated": 0, "id": 393 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffecf5a0000", "arguments": [ { "name": "lpLibFileName", "value": "comctl32" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 394 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00860000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 395 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 396 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "HIMAGELIST_QueryInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf61fa20" } ], "repeated": 0, "id": 397 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "DrawShadowText" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf69cfe0" } ], "repeated": 0, "id": 398 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "DrawSizeBox" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf62f780" } ], "repeated": 0, "id": 399 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "DrawScrollBar" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf610d20" } ], "repeated": 0, "id": 400 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "SizeBoxHwnd" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf6152d0" } ], "repeated": 0, "id": 401 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "ScrollBar_MouseMove" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf6921e0" } ], "repeated": 0, "id": 402 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "ScrollBar_Menu" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf691ff0" } ], "repeated": 0, "id": 403 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "HandleScrollCmd" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf691f50" } ], "repeated": 0, "id": 404 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "DetachScrollBars" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf5a2440" } ], "repeated": 0, "id": 405 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "AttachScrollBars" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf617150" } ], "repeated": 0, "id": 406 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "CCSetScrollInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf612230" } ], "repeated": 0, "id": 407 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "CCGetScrollInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf62bcc0" } ], "repeated": 0, "id": 408 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "CCEnableScrollBar" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf5a2830" } ], "repeated": 0, "id": 409 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "QuerySystemGestureStatus" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf691fb0" } ], "repeated": 0, "id": 410 }, { "timestamp": "2025-11-19 20:41:21,807", "thread_id": "1884", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 2, "id": 411 }, { "timestamp": "2025-11-19 20:41:21,823", "thread_id": "1884", "caller": "0x140056880", "parentcaller": "0x14001f39f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05757000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 412 }, { "timestamp": "2025-11-19 20:41:21,823", "thread_id": "1884", "caller": "0x14001f3c5", "parentcaller": "0x140005850", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x1401313a0", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "Type", "value": "#9" }, { "name": "Name", "value": "#212" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 413 }, { "timestamp": "2025-11-19 20:41:21,823", "thread_id": "1884", "caller": "0x14001f3c5", "parentcaller": "0x140005850", "category": "misc", "api": "LoadResource", "status": true, "return": "0x140136120", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x1401313a0" } ], "repeated": 0, "id": 414 }, { "timestamp": "2025-11-19 20:41:21,823", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010098", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 415 }, { "timestamp": "2025-11-19 20:41:21,823", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000025c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1324" } ], "repeated": 0, "id": 416 }, { "timestamp": "2025-11-19 20:41:21,823", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 417 }, { "timestamp": "2025-11-19 20:41:21,823", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2a57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 418 }, { "timestamp": "2025-11-19 20:41:21,823", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2a57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 419 }, { "timestamp": "2025-11-19 20:41:21,823", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Temp\\PoliceAssist.exe" } ], "repeated": 0, "id": 420 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x008ce6d0", "arguments": [ { "name": "FileName", "value": "C:\\Temp" }, { "name": "FirstCreateTimeLow", "value": "0x0c174eca" }, { "name": "FirstCreateTimeHigh", "value": "0x01dc598a" } ], "repeated": 0, "id": 421 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 422 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 423 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "windows.storage.dll" } ], "repeated": 0, "id": 424 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" } ], "repeated": 0, "id": 425 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000025c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 426 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000025c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" } ], "repeated": 0, "id": 427 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedec70000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0079b000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 428 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 429 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf281000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 430 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "Wldp.dll" } ], "repeated": 0, "id": 431 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 432 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 433 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Temp\\Wldp.dll" } ], "repeated": 0, "id": 434 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\wldp.dll" } ], "repeated": 0, "id": 435 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000260" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wldp.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 436 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000260" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wldp.dll" } ], "repeated": 0, "id": 437 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0500000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0002d000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 438 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0529000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 439 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0519000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 440 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 441 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 442 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf281000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 443 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 444 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0519000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 445 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\Wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 446 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\windows.storage" }, { "name": "DllBase", "value": "0x7ffedec70000" } ], "repeated": 0, "id": 447 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "api-ms-win-eventing-provider-l1-1-0.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 448 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "EventSetInformation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34b2af0" } ], "repeated": 0, "id": 449 }, { "timestamp": "2025-11-19 20:41:21,838", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\wldp" }, { "name": "BaseAddress", "value": "0x7ffee0500000" }, { "name": "InitRoutine", "value": "0x7ffee0503200" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 450 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "api-ms-win-core-synch-l1-2-0.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 451 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "InitializeConditionVariable" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34d9f40" } ], "repeated": 0, "id": 452 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "SleepConditionVariableCS" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1103890" } ], "repeated": 0, "id": 453 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "WakeAllConditionVariable" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34c5430" } ], "repeated": 0, "id": 454 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 455 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 456 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" } ], "repeated": 0, "id": 457 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34d3410" } ], "repeated": 0, "id": 458 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\windows.storage" }, { "name": "BaseAddress", "value": "0x7ffedec70000" }, { "name": "InitRoutine", "value": "0x7ffedee292f0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 459 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2a57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 460 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2a57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 461 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 462 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 463 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000028c" }, { "name": "DesiredAccess", "value": "0x00000006" }, { "name": "ObjectAttributes", "value": "windows_shell_global_counters" } ], "repeated": 0, "id": 464 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000028c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00860000" }, { "name": "SectionOffset", "value": "0x007fe060" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 465 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000290" } ], "repeated": 0, "id": 466 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 467 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 468 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 469 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\xc0\\x7f\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 470 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x00000294" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 471 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 472 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 473 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000294" }, { "name": "SubKey", "value": "{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}" }, { "name": "Handle", "value": "0x00000298" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}" } ], "repeated": 0, "id": 474 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" } ], "repeated": 0, "id": 475 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Category" } ], "repeated": 0, "id": 476 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "ProgramFilesX86" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name" } ], "repeated": 0, "id": 477 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder" } ], "repeated": 0, "id": 478 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description" } ], "repeated": 0, "id": 479 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath" } ], "repeated": 0, "id": 480 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName" } ], "repeated": 0, "id": 481 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip" } ], "repeated": 0, "id": 482 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\shell32.dll,-21817" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName" } ], "repeated": 0, "id": 483 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon" } ], "repeated": 0, "id": 484 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security" } ], "repeated": 0, "id": 485 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResource" } ], "repeated": 0, "id": 486 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType" } ], "repeated": 0, "id": 487 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly" } ], "repeated": 0, "id": 488 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable" } ], "repeated": 0, "id": 489 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate" } ], "repeated": 0, "id": 490 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream" } ], "repeated": 0, "id": 491 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath" } ], "repeated": 0, "id": 492 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\DefinitionFlags" } ], "repeated": 0, "id": 493 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes" } ], "repeated": 0, "id": 494 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID" } ], "repeated": 0, "id": 495 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler" } ], "repeated": 0, "id": 496 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e6000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 497 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e6000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 498 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000298" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x00000294" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PropertyBag" } ], "repeated": 0, "id": 499 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 500 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion" }, { "name": "Handle", "value": "0x0000029c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion" } ], "repeated": 0, "id": 501 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "ProgramFilesDir (x86)" }, { "name": "Data", "value": "C:\\Program Files (x86)" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)" } ], "repeated": 0, "id": 502 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" } ], "repeated": 0, "id": 503 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 504 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2a56000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 505 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2a56000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 506 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000290" } ], "repeated": 0, "id": 507 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 508 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\xc0\\x7f\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 509 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x0000029c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 510 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000029c" }, { "name": "SubKey", "value": "{6D809377-6AF0-444B-8957-A3773F02200E}" }, { "name": "Handle", "value": "0x000002a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444B-8957-A3773F02200E}" } ], "repeated": 0, "id": 511 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" } ], "repeated": 0, "id": 512 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Category" } ], "repeated": 0, "id": 513 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "ProgramFilesX64" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Name" } ], "repeated": 0, "id": 514 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParentFolder" } ], "repeated": 0, "id": 515 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Description" } ], "repeated": 0, "id": 516 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\RelativePath" } ], "repeated": 0, "id": 517 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParsingName" } ], "repeated": 0, "id": 518 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InfoTip" } ], "repeated": 0, "id": 519 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalizedName" } ], "repeated": 0, "id": 520 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Icon" } ], "repeated": 0, "id": 521 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Security" } ], "repeated": 0, "id": 522 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResource" } ], "repeated": 0, "id": 523 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResourceType" } ], "repeated": 0, "id": 524 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalRedirectOnly" } ], "repeated": 0, "id": 525 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Roamable" } ], "repeated": 0, "id": 526 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PreCreate" } ], "repeated": 0, "id": 527 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Stream" } ], "repeated": 0, "id": 528 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PublishExpandedPath" } ], "repeated": 0, "id": 529 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\DefinitionFlags" } ], "repeated": 0, "id": 530 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Attributes" } ], "repeated": 0, "id": 531 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\FolderTypeID" } ], "repeated": 0, "id": 532 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InitFolderHandler" } ], "repeated": 0, "id": 533 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002a0" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PropertyBag" } ], "repeated": 0, "id": 534 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a0" } ], "repeated": 0, "id": 535 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion" }, { "name": "Handle", "value": "0x000002a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion" } ], "repeated": 0, "id": 536 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a0" }, { "name": "ValueName", "value": "ProgramFilesDir" }, { "name": "Data", "value": "C:\\Program Files" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir" } ], "repeated": 0, "id": 537 }, { "timestamp": "2025-11-19 20:41:21,854", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a0" } ], "repeated": 0, "id": 538 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 539 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000290" } ], "repeated": 0, "id": 540 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 541 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\xc0\\x7f\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 542 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x000002a4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 543 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002a4" }, { "name": "SubKey", "value": "{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}" }, { "name": "Handle", "value": "0x000002a8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}" } ], "repeated": 0, "id": 544 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" } ], "repeated": 0, "id": 545 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category" } ], "repeated": 0, "id": 546 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "SystemX86" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name" } ], "repeated": 0, "id": 547 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder" } ], "repeated": 0, "id": 548 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description" } ], "repeated": 0, "id": 549 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath" } ], "repeated": 0, "id": 550 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName" } ], "repeated": 0, "id": 551 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip" } ], "repeated": 0, "id": 552 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName" } ], "repeated": 0, "id": 553 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon" } ], "repeated": 0, "id": 554 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security" } ], "repeated": 0, "id": 555 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource" } ], "repeated": 0, "id": 556 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType" } ], "repeated": 0, "id": 557 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly" } ], "repeated": 0, "id": 558 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable" } ], "repeated": 0, "id": 559 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate" } ], "repeated": 0, "id": 560 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream" } ], "repeated": 0, "id": 561 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath" } ], "repeated": 0, "id": 562 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\DefinitionFlags" } ], "repeated": 0, "id": 563 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes" } ], "repeated": 0, "id": 564 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID" } ], "repeated": 0, "id": 565 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler" } ], "repeated": 0, "id": 566 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002a8" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x000002a4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PropertyBag" } ], "repeated": 0, "id": 567 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a8" } ], "repeated": 0, "id": 568 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" } ], "repeated": 0, "id": 569 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetProcedureAddress", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlWow64GetCurrentMachine" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34c0d90" } ], "repeated": 0, "id": 570 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetProcedureAddress", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlWow64IsWowGuestMachineSupported" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34ec670" } ], "repeated": 0, "id": 571 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 572 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000290" } ], "repeated": 0, "id": 573 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 574 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\xc0\\x7f\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 575 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x000002a8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 576 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002a8" }, { "name": "SubKey", "value": "{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}" }, { "name": "Handle", "value": "0x000002ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}" } ], "repeated": 0, "id": 577 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a8" } ], "repeated": 0, "id": 578 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Category" } ], "repeated": 0, "id": 579 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "System" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Name" } ], "repeated": 0, "id": 580 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParentFolder" } ], "repeated": 0, "id": 581 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Description" } ], "repeated": 0, "id": 582 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\RelativePath" } ], "repeated": 0, "id": 583 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParsingName" } ], "repeated": 0, "id": 584 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InfoTip" } ], "repeated": 0, "id": 585 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalizedName" } ], "repeated": 0, "id": 586 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Icon" } ], "repeated": 0, "id": 587 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Security" } ], "repeated": 0, "id": 588 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResource" } ], "repeated": 0, "id": 589 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResourceType" } ], "repeated": 0, "id": 590 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalRedirectOnly" } ], "repeated": 0, "id": 591 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Roamable" } ], "repeated": 0, "id": 592 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PreCreate" } ], "repeated": 0, "id": 593 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Stream" } ], "repeated": 0, "id": 594 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PublishExpandedPath" } ], "repeated": 0, "id": 595 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\DefinitionFlags" } ], "repeated": 0, "id": 596 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Attributes" } ], "repeated": 0, "id": 597 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\FolderTypeID" } ], "repeated": 0, "id": 598 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InitFolderHandler" } ], "repeated": 0, "id": 599 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002ac" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x000002a8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PropertyBag" } ], "repeated": 0, "id": 600 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ac" } ], "repeated": 0, "id": 601 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 602 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000290" } ], "repeated": 0, "id": 603 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 604 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\xc0\\x7f\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 605 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x000002ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 606 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002ac" }, { "name": "SubKey", "value": "{F38BF404-1D43-42F2-9305-67DE0B28FC23}" }, { "name": "Handle", "value": "0x000002b0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}" } ], "repeated": 0, "id": 607 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ac" } ], "repeated": 0, "id": 608 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category" } ], "repeated": 0, "id": 609 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "Windows" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name" } ], "repeated": 0, "id": 610 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder" } ], "repeated": 0, "id": 611 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description" } ], "repeated": 0, "id": 612 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath" } ], "repeated": 0, "id": 613 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName" } ], "repeated": 0, "id": 614 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip" } ], "repeated": 0, "id": 615 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName" } ], "repeated": 0, "id": 616 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon" } ], "repeated": 0, "id": 617 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security" } ], "repeated": 0, "id": 618 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource" } ], "repeated": 0, "id": 619 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType" } ], "repeated": 0, "id": 620 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly" } ], "repeated": 0, "id": 621 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable" } ], "repeated": 0, "id": 622 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate" } ], "repeated": 0, "id": 623 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream" } ], "repeated": 0, "id": 624 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath" } ], "repeated": 0, "id": 625 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\DefinitionFlags" } ], "repeated": 0, "id": 626 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes" } ], "repeated": 0, "id": 627 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID" } ], "repeated": 0, "id": 628 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler" } ], "repeated": 0, "id": 629 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002b0" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x000002ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PropertyBag" } ], "repeated": 0, "id": 630 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b0" } ], "repeated": 0, "id": 631 }, { "timestamp": "2025-11-19 20:41:21,870", "thread_id": "1884", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 632 }, { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "1884", "caller": "0x140005870", "parentcaller": "0x1400053d3", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002000" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 633 }, { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "1884", "caller": "0x140005893", "parentcaller": "0x1400053d3", "category": "misc", "api": "SystemParametersInfoW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Action", "value": "0x00002001" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 634 }, { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0543b000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 635 }, { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002a0" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" } ], "repeated": 0, "id": 636 }, { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002a0" }, { "name": "ValueName", "value": "ResourcePolicies" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies" } ], "repeated": 0, "id": 637 }, { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a0" } ], "repeated": 0, "id": 638 }, { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00870000" }, { "name": "RegionSize", "value": "0x0001a000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 639 }, { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00870000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 640 }, { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0543d000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 641 }, { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x052e3000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 642 }, { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x052e7000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 643 }, { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05308000" }, { "name": "RegionSize", "value": "0x00041000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 644 }, { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "1884", "caller": "0x14000b81e", "parentcaller": "0x14000d2a6", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000002a0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x14000bd10" }, { "name": "Parameter", "value": "0x00000000" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "2196" }, { "name": "ProcessId", "value": "1324" }, { "name": "Module", "value": "PoliceAssist.exe" } ], "repeated": 0, "id": 645 }, { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "1884", "caller": "0x14000b81e", "parentcaller": "0x14000d2a6", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000002a0", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x14000bd10" }, { "name": "Parameter", "value": "0x00000000" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "2196" }, { "name": "ProcessId", "value": "1324" } ], "repeated": 0, "id": 646 }, { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "1884", "caller": "0x14000b85a", "parentcaller": "0x14000d2a6", "category": "windows", "api": "PostThreadMessageW", "status": false, "return": "0x00000000", "arguments": [ { "name": "ProcessId", "value": "1324" }, { "name": "ThreadId", "value": "2196" }, { "name": "Message", "value": "1047" } ], "repeated": 0, "id": 647 }, { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "2196", "caller": "0x7ffee34e507d", "parentcaller": "0x7ffee34e4c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 648 }, { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "1884", "caller": "0x14000b867", "parentcaller": "0x14000d2a6", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "10" } ], "repeated": 0, "id": 649 }, { "timestamp": "2025-11-19 20:41:24,151", "thread_id": "1884", "caller": "0x14000b85a", "parentcaller": "0x14000d2a6", "category": "windows", "api": "PostThreadMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessId", "value": "1324" }, { "name": "ThreadId", "value": "2196" }, { "name": "Message", "value": "1047" } ], "repeated": 0, "id": 650 }, { "timestamp": "2025-11-19 20:41:24,151", "thread_id": "1884", "caller": "0x14000b98b", "parentcaller": "0x14000d2a6", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 6, "id": 651 }, { "timestamp": "2025-11-19 20:41:24,151", "thread_id": "2196", "caller": "0x14000c085", "parentcaller": "0x14000bd82", "category": "windows", "api": "FindWindowW", "status": false, "return": "0x00000000", "arguments": [ { "name": "ClassName", "value": "#32771" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 652 }, { "timestamp": "2025-11-19 20:41:24,151", "thread_id": "1884", "caller": "0x14000b98b", "parentcaller": "0x14000d2a6", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 653 }, { "timestamp": "2025-11-19 20:41:24,151", "thread_id": "2196", "caller": "0x14000bd9d", "parentcaller": "0x00000000", "category": "system", "api": "SetWindowsHookExW", "status": true, "return": "0x00080237", "arguments": [ { "name": "HookIdentifier", "value": "13", "pretty_value": "WH_KEYBOARD_LL" }, { "name": "ProcedureAddress", "value": "0x140006970" }, { "name": "ModuleAddress", "value": "0x140000000" }, { "name": "ThreadId", "value": "0" } ], "repeated": 0, "id": 654 }, { "timestamp": "2025-11-19 20:41:24,151", "thread_id": "2196", "caller": "0x14000be1b", "parentcaller": "0x00000000", "category": "system", "api": "SetWindowsHookExW", "status": true, "return": "0x000b024d", "arguments": [ { "name": "HookIdentifier", "value": "14", "pretty_value": "WH_MOUSE_LL" }, { "name": "ProcedureAddress", "value": "0x140006b90" }, { "name": "ModuleAddress", "value": "0x140000000" }, { "name": "ThreadId", "value": "0" } ], "repeated": 0, "id": 655 }, { "timestamp": "2025-11-19 20:41:24,151", "thread_id": "1884", "caller": "0x14000b98b", "parentcaller": "0x14000d2a6", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 1, "id": 656 }, { "timestamp": "2025-11-19 20:41:24,151", "thread_id": "2196", "caller": "0x14000be7c", "parentcaller": "0x00000000", "category": "windows", "api": "PostThreadMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessId", "value": "1324" }, { "name": "ThreadId", "value": "1884" }, { "name": "Message", "value": "1047" } ], "repeated": 0, "id": 657 }, { "timestamp": "2025-11-19 20:41:24,151", "thread_id": "1884", "caller": "0x14000ba3c", "parentcaller": "0x14000d2a6", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "MutexName", "value": "AHK Keybd" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 658 }, { "timestamp": "2025-11-19 20:41:24,151", "thread_id": "1884", "caller": "0x14000ba7f", "parentcaller": "0x14000d2a6", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b4" }, { "name": "MutexName", "value": "AHK Mouse" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 659 }, { "timestamp": "2025-11-19 20:41:24,151", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x14001f78e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05349000" }, { "name": "RegionSize", "value": "0x00016000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 660 }, { "timestamp": "2025-11-19 20:41:24,151", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x14008a293", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0535f000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 661 }, { "timestamp": "2025-11-19 20:41:24,151", "thread_id": "1884", "caller": "0x14007a95b", "parentcaller": "0x1400b1967", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x009322b0", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000008", "pretty_value": "SC_MANAGER_LOCK" } ], "repeated": 0, "id": 662 }, { "timestamp": "2025-11-19 20:41:24,151", "thread_id": "1884", "caller": "0x14004e3fd", "parentcaller": "0x140036c64", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000002bc" }, { "name": "DesiredAccess", "value": "0x00000200", "pretty_value": "PROCESS_SET_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1324" } ], "repeated": 0, "id": 663 }, { "timestamp": "2025-11-19 20:41:24,151", "thread_id": "1884", "caller": "0x14004e410", "parentcaller": "0x140036c64", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "18" }, { "name": "ProcessInformation", "value": "\\x00\\x06" } ], "repeated": 0, "id": 664 }, { "timestamp": "2025-11-19 20:41:24,151", "thread_id": "1884", "caller": "0x14004e41b", "parentcaller": "0x140036c64", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" } ], "repeated": 0, "id": 665 }, { "timestamp": "2025-11-19 20:41:24,151", "thread_id": "1884", "caller": "0x1400ca9ff", "parentcaller": "0x14008a293", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05368000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 666 }, { "timestamp": "2025-11-19 20:41:25,151", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x7ffee2c20000" } ], "repeated": 0, "id": 667 }, { "timestamp": "2025-11-19 20:41:25,151", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wbemcomn" }, { "name": "DllBase", "value": "0x7ffed95e0000" } ], "repeated": 0, "id": 668 }, { "timestamp": "2025-11-19 20:41:25,151", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemdisp" }, { "name": "DllBase", "value": "0x7ffed9590000" } ], "repeated": 0, "id": 669 }, { "timestamp": "2025-11-19 20:41:25,166", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "API-MS-Win-Core-LocalRegistry-L1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 670 }, { "timestamp": "2025-11-19 20:41:25,166", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.dll" }, { "name": "BaseAddress", "value": "0x7ffed9590000" } ], "repeated": 0, "id": 671 }, { "timestamp": "2025-11-19 20:41:25,166", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "com", "api": "CoGetClassObject", "status": false, "return": "0xffffffff80040154", "arguments": [ { "name": "rclsid", "value": "172BDDF8-CEEA-11D1-8B05-00600806D9B6" }, { "name": "ClsContext", "value": "0x00000417", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_LOCAL_SERVER|CLSCTX_REMOTE_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "0000011A-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "WINMGMTS.1" } ], "repeated": 0, "id": 672 }, { "timestamp": "2025-11-19 20:41:25,166", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\advapi32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2b50000" } ], "repeated": 0, "id": 673 }, { "timestamp": "2025-11-19 20:41:25,166", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "172BDDF8-CEEA-11D1-8B05-00600806D9B6" }, { "name": "ClsContext", "value": "0x00000417", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_LOCAL_SERVER|CLSCTX_REMOTE_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "0000011A-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "WINMGMTS.1" } ], "repeated": 0, "id": 674 }, { "timestamp": "2025-11-19 20:41:25,166", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemprox" }, { "name": "DllBase", "value": "0x7ffedc220000" } ], "repeated": 0, "id": 675 }, { "timestamp": "2025-11-19 20:41:25,182", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemprox.dll" }, { "name": "BaseAddress", "value": "0x7ffedc220000" } ], "repeated": 0, "id": 676 }, { "timestamp": "2025-11-19 20:41:25,182", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F811-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "DC12A687-737F-11CF-884D-00AA004B2E24" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 677 }, { "timestamp": "2025-11-19 20:41:25,182", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wmiutils" }, { "name": "DllBase", "value": "0x7ffed9560000" } ], "repeated": 0, "id": 678 }, { "timestamp": "2025-11-19 20:41:25,182", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wmiutils.dll" }, { "name": "BaseAddress", "value": "0x7ffed9560000" } ], "repeated": 0, "id": 679 }, { "timestamp": "2025-11-19 20:41:25,182", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 4, "id": 680 }, { "timestamp": "2025-11-19 20:41:25,198", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000318" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffee2fe2d30" }, { "name": "Parameter", "value": "0x008f2a50" }, { "name": "CreateFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "3064" }, { "name": "ProcessId", "value": "1324" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 681 }, { "timestamp": "2025-11-19 20:41:25,198", "thread_id": "3064", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0093f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 682 }, { "timestamp": "2025-11-19 20:41:25,198", "thread_id": "3064", "caller": "0x7ffee34e507d", "parentcaller": "0x7ffee34e4c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 683 }, { "timestamp": "2025-11-19 20:41:25,198", "thread_id": "4092", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00942000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 684 }, { "timestamp": "2025-11-19 20:41:25,198", "thread_id": "4092", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000334" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 685 }, { "timestamp": "2025-11-19 20:41:25,198", "thread_id": "4092", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00943000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 686 }, { "timestamp": "2025-11-19 20:41:25,198", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 687 }, { "timestamp": "2025-11-19 20:41:25,198", "thread_id": "3612", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000348" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 688 }, { "timestamp": "2025-11-19 20:41:25,198", "thread_id": "3612", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00949000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 689 }, { "timestamp": "2025-11-19 20:41:25,229", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000032A-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000149-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 690 }, { "timestamp": "2025-11-19 20:41:25,229", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 691 }, { "timestamp": "2025-11-19 20:41:25,229", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemsvc" }, { "name": "DllBase", "value": "0x7ffedb270000" } ], "repeated": 0, "id": 692 }, { "timestamp": "2025-11-19 20:41:25,229", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemsvc.dll" }, { "name": "BaseAddress", "value": "0x7ffedb270000" } ], "repeated": 0, "id": 693 }, { "timestamp": "2025-11-19 20:41:25,245", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 694 }, { "timestamp": "2025-11-19 20:41:25,245", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-localization-l1-2-0.dll" }, { "name": "BaseAddress", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 695 }, { "timestamp": "2025-11-19 20:41:25,245", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-localization-obsolete-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 696 }, { "timestamp": "2025-11-19 20:41:25,307", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\fastprox" }, { "name": "DllBase", "value": "0x7ffed3fc0000" } ], "repeated": 0, "id": 697 }, { "timestamp": "2025-11-19 20:41:25,307", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 698 }, { "timestamp": "2025-11-19 20:41:25,432", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\fastprox.dll" }, { "name": "BaseAddress", "value": "0x7ffed3fc0000" } ], "repeated": 0, "id": 699 }, { "timestamp": "2025-11-19 20:41:25,432", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\amsi" }, { "name": "DllBase", "value": "0x7ffede1c0000" } ], "repeated": 0, "id": 700 }, { "timestamp": "2025-11-19 20:41:25,432", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "amsi.dll" }, { "name": "BaseAddress", "value": "0x7ffede1c0000" } ], "repeated": 0, "id": 701 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 702 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "com", "api": "CoGetObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2" }, { "name": "riid", "value": "00020400-0000-0000-C000-000000000046" } ], "repeated": 0, "id": 703 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000419", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000419" }, { "name": "LanguageName", "value": "Russian" } ], "repeated": 0, "id": 704 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 705 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "sxs.dll" } ], "repeated": 0, "id": 706 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\sxs.dll" } ], "repeated": 0, "id": 707 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000035c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\sxs.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 708 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000360" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000035c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\sxs.dll" } ], "repeated": 0, "id": 709 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee08c0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000a2000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 710 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee095d000" }, { "name": "ModuleName", "value": "sxs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 711 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee093a000" }, { "name": "ModuleName", "value": "sxs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 712 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 0, "id": 713 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000035c" } ], "repeated": 0, "id": 714 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee093a000" }, { "name": "ModuleName", "value": "sxs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 715 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\sxs" }, { "name": "DllBase", "value": "0x7ffee08c0000" } ], "repeated": 0, "id": 716 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00968000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 717 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\sxs" }, { "name": "BaseAddress", "value": "0x7ffee08c0000" }, { "name": "InitRoutine", "value": "0x7ffee08f4890" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 718 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2b48000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 719 }, { "timestamp": "2025-11-19 20:41:25,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2b48000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 720 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000346-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "E085AD58-B839-4625-B40B-4CC546E82D75" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 721 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2b48000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 722 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2b48000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 723 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Classes\\PackagedCom" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\PackagedCom" } ], "repeated": 0, "id": 724 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000360" } ], "repeated": 0, "id": 725 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 726 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 727 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 728 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\x9d\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\xf0'\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8'\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x9f\\x7f\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 729 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000364" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 730 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 0, "id": 731 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000366" }, { "name": "SubKey", "value": "TypeLib" }, { "name": "Handle", "value": "0x00000362" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib" } ], "repeated": 0, "id": 732 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000366" } ], "repeated": 0, "id": 733 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000362" }, { "name": "SubKey", "value": "{565783C6-CB41-11D1-8B02-00600806D9B6}" }, { "name": "Handle", "value": "0x00000366" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}" } ], "repeated": 0, "id": 734 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000366" }, { "name": "SubKey", "value": "1.0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0" } ], "repeated": 0, "id": 735 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000366" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1.2" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2" } ], "repeated": 0, "id": 736 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000366" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\" } ], "repeated": 0, "id": 737 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000366" }, { "name": "SubKey", "value": "1.2" }, { "name": "Handle", "value": "0x0000036a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2" } ], "repeated": 0, "id": 738 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "419" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\419" } ], "repeated": 0, "id": 739 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "19" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\19" } ], "repeated": 0, "id": 740 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "0" }, { "name": "Handle", "value": "0x0000036e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" } ], "repeated": 0, "id": 741 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036e" }, { "name": "SubKey", "value": "win64" }, { "name": "Handle", "value": "0x00000372" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 742 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 743 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" } ], "repeated": 0, "id": 744 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "0" }, { "name": "Handle", "value": "0x0000036e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" } ], "repeated": 0, "id": 745 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 746 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 747 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\x96\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x95\\xc4\\xfe\\x7f\\x00\\x00n\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x97\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 748 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 749 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 750 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000036e" }, { "name": "ObjectAttributesName", "value": "win64" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 751 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.TLB" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64\\(Default)" } ], "repeated": 0, "id": 752 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 753 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" } ], "repeated": 0, "id": 754 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036a" } ], "repeated": 0, "id": 755 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000366" } ], "repeated": 0, "id": 756 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000362" } ], "repeated": 0, "id": 757 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 758 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 759 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": "MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 760 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 761 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xa8\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 762 }, { "timestamp": "2025-11-19 20:41:25,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": "PE\\x00\\x00" }, { "name": "Length", "value": "24" } ], "repeated": 0, "id": 763 }, { "timestamp": "2025-11-19 20:41:25,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 764 }, { "timestamp": "2025-11-19 20:41:25,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xb0\\x01\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 765 }, { "timestamp": "2025-11-19 20:41:25,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": ".rdata\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00@" }, { "name": "Length", "value": "40" } ], "repeated": 0, "id": 766 }, { "timestamp": "2025-11-19 20:41:25,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000364" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Codepage" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Codepage" } ], "repeated": 0, "id": 767 }, { "timestamp": "2025-11-19 20:41:25,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000364" }, { "name": "ValueName", "value": "1252" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "c_1252.nls" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\1252" } ], "repeated": 0, "id": 768 }, { "timestamp": "2025-11-19 20:41:25,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\C_1252.NLS" } ], "repeated": 0, "id": 769 }, { "timestamp": "2025-11-19 20:41:25,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": ".rsrc\\x00\\x00\\x00\\x00\\xe5\\x00\\x00\\x00 \\x00\\x00\\x00\\xe6\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00@" }, { "name": "Length", "value": "40" } ], "repeated": 0, "id": 770 }, { "timestamp": "2025-11-19 20:41:25,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 771 }, { "timestamp": "2025-11-19 20:41:25,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 772 }, { "timestamp": "2025-11-19 20:41:25,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00" }, { "name": "Length", "value": "24" } ], "repeated": 0, "id": 773 }, { "timestamp": "2025-11-19 20:41:25,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 774 }, { "timestamp": "2025-11-19 20:41:25,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xa0\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 775 }, { "timestamp": "2025-11-19 20:41:25,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": "\\x07\\x00" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 776 }, { "timestamp": "2025-11-19 20:41:25,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 777 }, { "timestamp": "2025-11-19 20:41:25,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 778 }, { "timestamp": "2025-11-19 20:41:25,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": " \\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 779 }, { "timestamp": "2025-11-19 20:41:25,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 780 }, { "timestamp": "2025-11-19 20:41:25,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "0\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 781 }, { "timestamp": "2025-11-19 20:41:25,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": "\\x01\\x00\\x00\\x00P\\x00\\x00\\x80" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 782 }, { "timestamp": "2025-11-19 20:41:25,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 783 }, { "timestamp": "2025-11-19 20:41:25,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "P\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 784 }, { "timestamp": "2025-11-19 20:41:25,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00" }, { "name": "Length", "value": "24" } ], "repeated": 0, "id": 785 }, { "timestamp": "2025-11-19 20:41:25,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 786 }, { "timestamp": "2025-11-19 20:41:25,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 787 }, { "timestamp": "2025-11-19 20:41:25,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": "h$\\x00\\x00\\x98\\xe0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 788 }, { "timestamp": "2025-11-19 20:41:25,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 789 }, { "timestamp": "2025-11-19 20:41:25,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000360" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } ], "repeated": 0, "id": 790 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 791 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000368" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x053c0000" }, { "name": "SectionOffset", "value": "0x007f9670" }, { "name": "ViewSize", "value": "0x0000f000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 792 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0096b000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 793 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0096d000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 794 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0096f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 795 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00970000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 796 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00971000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 797 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00972000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 798 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00974000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 799 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000258" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US" } ], "repeated": 0, "id": 800 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000258" }, { "name": "ValueName", "value": "en" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en" } ], "repeated": 0, "id": 801 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "WMI_ExecQuery", "status": true, "return": "0x00000000", "arguments": [ { "name": "Query", "value": "Select * from Win32_OperatingSystem" } ], "repeated": 0, "id": 802 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed40c8000" }, { "name": "ModuleName", "value": "fastprox.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 803 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed40c8000" }, { "name": "ModuleName", "value": "fastprox.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 804 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedb281000" }, { "name": "ModuleName", "value": "wbemsvc.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 805 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedb281000" }, { "name": "ModuleName", "value": "wbemsvc.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 806 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 807 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 808 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c2" }, { "name": "SubKey", "value": "Interface\\{027947E1-D731-11CE-A357-000000000001}" }, { "name": "Handle", "value": "0x00000376" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}" } ], "repeated": 0, "id": 809 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000376" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000037a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32" } ], "repeated": 0, "id": 810 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 811 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 812 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" } ], "repeated": 0, "id": 813 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c6" }, { "name": "SubKey", "value": "CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "Handle", "value": "0x00000376" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" } ], "repeated": 0, "id": 814 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 815 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 816 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90o\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x95\\xc4\\xfe\\x7f\\x00\\x00v\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90p\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 817 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" } ], "repeated": 0, "id": 818 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 819 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000376" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" } ], "repeated": 0, "id": 820 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 821 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000376" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 822 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)" } ], "repeated": 0, "id": 823 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)" } ], "repeated": 0, "id": 824 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000376" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000037a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32" } ], "repeated": 0, "id": 825 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32" } ], "repeated": 0, "id": 826 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 827 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%systemroot%\\system32\\wbem\\fastprox.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)" } ], "repeated": 1, "id": 828 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel" } ], "repeated": 0, "id": 829 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 830 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 831 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 832 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " n\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x95\\xc4\\xfe\\x7f\\x00\\x00v\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00 o\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 833 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" } ], "repeated": 0, "id": 834 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 835 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000376" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" } ], "repeated": 0, "id": 836 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 837 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 838 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " n\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x95\\xc4\\xfe\\x7f\\x00\\x00v\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00 o\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 839 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" } ], "repeated": 0, "id": 840 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 841 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000376" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" } ], "repeated": 0, "id": 842 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" } ], "repeated": 0, "id": 843 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 844 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 845 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c6" }, { "name": "SubKey", "value": "CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "Handle", "value": "0x00000376" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" } ], "repeated": 0, "id": 846 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 847 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 848 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "Pl\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x95\\xc4\\xfe\\x7f\\x00\\x00v\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00Pm\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 849 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" } ], "repeated": 0, "id": 850 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 851 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000376" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" } ], "repeated": 0, "id": 852 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 853 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00978000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 854 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000376" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 855 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)" } ], "repeated": 0, "id": 856 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)" } ], "repeated": 0, "id": 857 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000376" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000037a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32" } ], "repeated": 0, "id": 858 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32" } ], "repeated": 0, "id": 859 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 860 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%systemroot%\\system32\\wbem\\fastprox.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)" } ], "repeated": 1, "id": 861 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel" } ], "repeated": 0, "id": 862 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 863 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 864 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 865 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0j\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x95\\xc4\\xfe\\x7f\\x00\\x00v\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0k\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 866 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" } ], "repeated": 0, "id": 867 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 868 }, { "timestamp": "2025-11-19 20:41:25,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000376" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" } ], "repeated": 0, "id": 869 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 870 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 871 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0j\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x95\\xc4\\xfe\\x7f\\x00\\x00v\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0k\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 872 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" } ], "repeated": 0, "id": 873 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 874 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000376" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" } ], "repeated": 0, "id": 875 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000376" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer32" } ], "repeated": 0, "id": 876 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000376" }, { "name": "ValueName", "value": "AppID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\AppID" } ], "repeated": 0, "id": 877 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 878 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 879 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " j\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x95\\xc4\\xfe\\x7f\\x00\\x00v\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00 k\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 880 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer" } ], "repeated": 0, "id": 881 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 882 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000376" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer" } ], "repeated": 0, "id": 883 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c6" }, { "name": "SubKey", "value": "CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "Handle", "value": "0x0000037a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" } ], "repeated": 0, "id": 884 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000037a" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Elevation" } ], "repeated": 0, "id": 885 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 886 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" } ], "repeated": 0, "id": 887 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c2" }, { "name": "SubKey", "value": "CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "Handle", "value": "0x00000376" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" } ], "repeated": 0, "id": 888 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000376" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" } ], "repeated": 0, "id": 889 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" } ], "repeated": 0, "id": 890 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 891 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 892 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 893 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 894 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 895 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 896 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 897 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 898 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c2" }, { "name": "SubKey", "value": "Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}" }, { "name": "Handle", "value": "0x0000036e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}" } ], "repeated": 0, "id": 899 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036e" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000372" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32" } ], "repeated": 0, "id": 900 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{7C857801-7381-11CF-884D-00AA004B2E24}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 901 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 902 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" } ], "repeated": 0, "id": 903 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 904 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 905 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 906 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 907 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c2" }, { "name": "SubKey", "value": "Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}" }, { "name": "Handle", "value": "0x00000376" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}" } ], "repeated": 0, "id": 908 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000376" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000037a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32" } ], "repeated": 0, "id": 909 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{7C857801-7381-11CF-884D-00AA004B2E24}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 910 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 911 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" } ], "repeated": 0, "id": 912 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 913 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 914 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000419", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000419" }, { "name": "LanguageName", "value": "Russian" } ], "repeated": 0, "id": 915 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000346-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "E085AD58-B839-4625-B40B-4CC546E82D75" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 916 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Classes\\PackagedCom" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\PackagedCom" } ], "repeated": 0, "id": 917 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000374" } ], "repeated": 0, "id": 918 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 919 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 920 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\x9d\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\xf0'\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8'\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x9e\\x7f\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 921 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000378" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 922 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000374" } ], "repeated": 0, "id": 923 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037a" }, { "name": "SubKey", "value": "TypeLib" }, { "name": "Handle", "value": "0x00000376" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib" } ], "repeated": 0, "id": 924 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 925 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000376" }, { "name": "SubKey", "value": "{565783C6-CB41-11D1-8B02-00600806D9B6}" }, { "name": "Handle", "value": "0x0000037a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}" } ], "repeated": 0, "id": 926 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000037a" }, { "name": "SubKey", "value": "1.0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0" } ], "repeated": 0, "id": 927 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1.2" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2" } ], "repeated": 0, "id": 928 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\" } ], "repeated": 0, "id": 929 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037a" }, { "name": "SubKey", "value": "1.2" }, { "name": "Handle", "value": "0x0000037e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2" } ], "repeated": 0, "id": 930 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "419" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\419" } ], "repeated": 0, "id": 931 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "19" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\19" } ], "repeated": 0, "id": 932 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "0" }, { "name": "Handle", "value": "0x00000382" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" } ], "repeated": 0, "id": 933 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000382" }, { "name": "SubKey", "value": "win64" }, { "name": "Handle", "value": "0x00000386" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 934 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000386" } ], "repeated": 0, "id": 935 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000382" } ], "repeated": 0, "id": 936 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "0" }, { "name": "Handle", "value": "0x00000382" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" } ], "repeated": 0, "id": 937 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000382" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 938 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000382" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 939 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\x96\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x82\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x97\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 940 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 941 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000382" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 942 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000382" }, { "name": "ObjectAttributesName", "value": "win64" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 943 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000386" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.TLB" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64\\(Default)" } ], "repeated": 0, "id": 944 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000386" } ], "repeated": 0, "id": 945 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000382" } ], "repeated": 0, "id": 946 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037e" } ], "repeated": 0, "id": 947 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 948 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" } ], "repeated": 0, "id": 949 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 950 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 951 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0097c000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 952 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x0000037c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 953 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 954 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 955 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 956 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000c8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 957 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000c8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 958 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 959 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 960 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 961 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000378" } ], "repeated": 0, "id": 962 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0097f000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 963 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00982000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 964 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x0000037c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 965 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 966 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 967 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 968 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000c8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 969 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000c8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 970 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 971 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 972 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 973 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000378" } ], "repeated": 0, "id": 974 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000419", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000419" }, { "name": "LanguageName", "value": "Russian" } ], "repeated": 0, "id": 975 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000346-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "E085AD58-B839-4625-B40B-4CC546E82D75" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 976 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Classes\\PackagedCom" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\PackagedCom" } ], "repeated": 0, "id": 977 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000378" } ], "repeated": 0, "id": 978 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 979 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 980 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\x92\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\xf0'\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8'\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x93\\x7f\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 981 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 982 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000378" } ], "repeated": 0, "id": 983 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "TypeLib" }, { "name": "Handle", "value": "0x0000037a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib" } ], "repeated": 0, "id": 984 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037e" } ], "repeated": 0, "id": 985 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037a" }, { "name": "SubKey", "value": "{565783C6-CB41-11D1-8B02-00600806D9B6}" }, { "name": "Handle", "value": "0x0000037e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}" } ], "repeated": 0, "id": 986 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "1.0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0" } ], "repeated": 0, "id": 987 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037e" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1.2" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2" } ], "repeated": 0, "id": 988 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x0000037e" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\" } ], "repeated": 0, "id": 989 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "1.2" }, { "name": "Handle", "value": "0x00000382" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2" } ], "repeated": 0, "id": 990 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000382" }, { "name": "SubKey", "value": "419" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\419" } ], "repeated": 0, "id": 991 }, { "timestamp": "2025-11-19 20:41:29,448", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000382" }, { "name": "SubKey", "value": "19" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\19" } ], "repeated": 0, "id": 992 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000382" }, { "name": "SubKey", "value": "0" }, { "name": "Handle", "value": "0x00000386" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" } ], "repeated": 0, "id": 993 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000386" }, { "name": "SubKey", "value": "win64" }, { "name": "Handle", "value": "0x0000038a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 994 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038a" } ], "repeated": 0, "id": 995 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000386" } ], "repeated": 0, "id": 996 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000382" }, { "name": "SubKey", "value": "0" }, { "name": "Handle", "value": "0x00000386" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" } ], "repeated": 0, "id": 997 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000386" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 998 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000386" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 999 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\x8b\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x86\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x8c\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1000 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 1001 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000386" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1002 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000388" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000386" }, { "name": "ObjectAttributesName", "value": "win64" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 1003 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.TLB" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64\\(Default)" } ], "repeated": 0, "id": 1004 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038a" } ], "repeated": 0, "id": 1005 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000386" } ], "repeated": 0, "id": 1006 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000382" } ], "repeated": 0, "id": 1007 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037e" } ], "repeated": 0, "id": 1008 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 1009 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000346-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "E085AD58-B839-4625-B40B-4CC546E82D75" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1010 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Classes\\PackagedCom" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\PackagedCom" } ], "repeated": 0, "id": 1011 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000378" } ], "repeated": 0, "id": 1012 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1013 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1014 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\x85\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\xf0'\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8'\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x86\\x7f\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1015 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 1016 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000378" } ], "repeated": 0, "id": 1017 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "TypeLib" }, { "name": "Handle", "value": "0x0000037a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib" } ], "repeated": 0, "id": 1018 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037e" } ], "repeated": 0, "id": 1019 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037a" }, { "name": "SubKey", "value": "{00020430-0000-0000-C000-000000000046}" }, { "name": "Handle", "value": "0x0000037e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 1020 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "2.0" }, { "name": "Handle", "value": "0x00000382" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0" } ], "repeated": 0, "id": 1021 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000382" }, { "name": "SubKey", "value": "0" }, { "name": "Handle", "value": "0x00000386" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0" } ], "repeated": 0, "id": 1022 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000386" }, { "name": "SubKey", "value": "win64" }, { "name": "Handle", "value": "0x0000038a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64" } ], "repeated": 0, "id": 1023 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038a" } ], "repeated": 0, "id": 1024 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000386" } ], "repeated": 0, "id": 1025 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000382" }, { "name": "SubKey", "value": "0" }, { "name": "Handle", "value": "0x00000386" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0" } ], "repeated": 0, "id": 1026 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000386" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1027 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000386" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1028 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90~\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x86\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x7f\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1029 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64" } ], "repeated": 0, "id": 1030 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000386" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1031 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000388" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000386" }, { "name": "ObjectAttributesName", "value": "win64" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64" } ], "repeated": 0, "id": 1032 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)" } ], "repeated": 0, "id": 1033 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038a" } ], "repeated": 0, "id": 1034 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000386" } ], "repeated": 0, "id": 1035 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000382" } ], "repeated": 0, "id": 1036 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037e" } ], "repeated": 0, "id": 1037 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 1038 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1039 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 1040 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 1041 }, { "timestamp": "2025-11-19 20:41:29,463", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1042 }, { "timestamp": "2025-11-19 20:41:29,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xa8\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1043 }, { "timestamp": "2025-11-19 20:41:29,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "PE\\x00\\x00" }, { "name": "Length", "value": "24" } ], "repeated": 0, "id": 1044 }, { "timestamp": "2025-11-19 20:41:29,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1045 }, { "timestamp": "2025-11-19 20:41:29,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xb0\\x01\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1046 }, { "timestamp": "2025-11-19 20:41:29,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": ".rdata\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00@" }, { "name": "Length", "value": "80" } ], "repeated": 0, "id": 1047 }, { "timestamp": "2025-11-19 20:41:29,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 1048 }, { "timestamp": "2025-11-19 20:41:29,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1049 }, { "timestamp": "2025-11-19 20:41:29,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x01\\x00" }, { "name": "Length", "value": "24" } ], "repeated": 0, "id": 1050 }, { "timestamp": "2025-11-19 20:41:29,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 1051 }, { "timestamp": "2025-11-19 20:41:29,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf8\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1052 }, { "timestamp": "2025-11-19 20:41:29,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "\\x03\\x00" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1053 }, { "timestamp": "2025-11-19 20:41:29,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1054 }, { "timestamp": "2025-11-19 20:41:29,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "\\xe8\\x00\\x00\\x80@\\x00\\x00\\x80" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 1055 }, { "timestamp": "2025-11-19 20:41:29,479", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": " \\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 1056 }, { "timestamp": "2025-11-19 20:41:29,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xe8\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1057 }, { "timestamp": "2025-11-19 20:41:29,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "\\x07\\x00" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 1058 }, { "timestamp": "2025-11-19 20:41:29,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": " \\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1059 }, { "timestamp": "2025-11-19 20:41:29,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 1060 }, { "timestamp": "2025-11-19 20:41:29,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "@\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1061 }, { "timestamp": "2025-11-19 20:41:29,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 1062 }, { "timestamp": "2025-11-19 20:41:29,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "P\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 1063 }, { "timestamp": "2025-11-19 20:41:29,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x80" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 1064 }, { "timestamp": "2025-11-19 20:41:29,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 1065 }, { "timestamp": "2025-11-19 20:41:29,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x88\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1066 }, { "timestamp": "2025-11-19 20:41:29,495", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00" }, { "name": "Length", "value": "24" } ], "repeated": 0, "id": 1067 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1068 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xc8\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1069 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "\\x00!\\x00\\x00@:\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 1070 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1071 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000378" }, { "name": "FileName", "value": "C:\\Windows\\System32\\stdole2.tlb" } ], "repeated": 0, "id": 1072 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000037c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x053d0000" }, { "name": "SectionOffset", "value": "0x007f7e30" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1073 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00985000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1074 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "SerialNumber" }, { "name": "Value", "value": "" } ], "repeated": 0, "id": 1075 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "SerialNumber" }, { "name": "Value", "value": "48242-512-6672386-61707" } ], "repeated": 0, "id": 1076 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1077 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1078 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c2" }, { "name": "SubKey", "value": "WinHttp.WinHttpRequest.5.1" }, { "name": "Handle", "value": "0x00000372" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WinHttp.WinHttpRequest.5.1" } ], "repeated": 0, "id": 1079 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000372" }, { "name": "SubKey", "value": "CLSID" }, { "name": "Handle", "value": "0x0000036e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID" } ], "repeated": 0, "id": 1080 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{2087c2f4-2cef-4953-a8ab-66779b670495}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID\\(Default)" } ], "repeated": 0, "id": 1081 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" } ], "repeated": 0, "id": 1082 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 1083 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Classes\\PackagedCom" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\PackagedCom" } ], "repeated": 0, "id": 1084 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c2" }, { "name": "SubKey", "value": "WinHttp.WinHttpRequest.5.1" }, { "name": "Handle", "value": "0x00000372" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WinHttp.WinHttpRequest.5.1" } ], "repeated": 0, "id": 1085 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000372" }, { "name": "SubKey", "value": "CLSID" }, { "name": "Handle", "value": "0x0000036e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID" } ], "repeated": 0, "id": 1086 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{2087c2f4-2cef-4953-a8ab-66779b670495}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID\\(Default)" } ], "repeated": 0, "id": 1087 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" } ], "repeated": 0, "id": 1088 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 1089 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c6" }, { "name": "SubKey", "value": "CLSID\\{2087C2F4-2CEF-4953-A8AB-66779B670495}" }, { "name": "Handle", "value": "0x00000372" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2087C2F4-2CEF-4953-A8AB-66779B670495}" } ], "repeated": 0, "id": 1090 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1091 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1092 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\x94\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x95\\xc4\\xfe\\x7f\\x00\\x00r\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x95\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1093 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\TreatAs" } ], "repeated": 0, "id": 1094 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1095 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000372" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\TreatAs" } ], "repeated": 0, "id": 1096 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1097 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000372" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 1098 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\(Default)" } ], "repeated": 0, "id": 1099 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "WinHttpRequest Component version 5.1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\(Default)" } ], "repeated": 0, "id": 1100 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000372" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000036e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocServer32" } ], "repeated": 0, "id": 1101 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000036e" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 1102 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 1103 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%SystemRoot%\\system32\\winhttpcom.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\(Default)" } ], "repeated": 1, "id": 1104 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Apartment" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 1105 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" } ], "repeated": 0, "id": 1106 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1107 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1108 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\x92\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x95\\xc4\\xfe\\x7f\\x00\\x00r\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\x93\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1109 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler32" } ], "repeated": 0, "id": 1110 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1111 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000372" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler32" } ], "repeated": 0, "id": 1112 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1113 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1114 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\x92\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x95\\xc4\\xfe\\x7f\\x00\\x00r\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x95\\xc4\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\x93\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1115 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler" } ], "repeated": 0, "id": 1116 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000372" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1117 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000372" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler" } ], "repeated": 0, "id": 1118 }, { "timestamp": "2025-11-19 20:41:29,510", "thread_id": "1884", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 1119 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x1400824ff", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\winhttpcom" }, { "name": "DllBase", "value": "0x7ffed5f30000" } ], "repeated": 0, "id": 1120 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x1400824ff", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\winhttpcom.dll" }, { "name": "BaseAddress", "value": "0x7ffed5f30000" } ], "repeated": 0, "id": 1121 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x1400824ff", "parentcaller": "0x140089aa8", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "2087C2F4-2CEF-4953-A8AB-66779B670495" }, { "name": "ClsContext", "value": "0x00000015", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER|CLSCTX_REMOTE_SERVER" }, { "name": "riid", "value": "00020400-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "WinHttp.WinHttpRequest.5.1" } ], "repeated": 0, "id": 1122 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed5f49000" }, { "name": "ModuleName", "value": "winhttpcom.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1123 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed5f49000" }, { "name": "ModuleName", "value": "winhttpcom.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1124 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000419", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000419" }, { "name": "LanguageName", "value": "Russian" } ], "repeated": 3, "id": 1125 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 1126 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "WINHTTP.dll" } ], "repeated": 0, "id": 1127 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\winhttp.dll" } ], "repeated": 0, "id": 1128 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\winhttp.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1129 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000390" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000038c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\winhttp.dll" } ], "repeated": 0, "id": 1130 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000390" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8a20000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0010a000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1131 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8b20000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1132 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8af5000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1133 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000390" } ], "repeated": 0, "id": 1134 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 1135 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8af5000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1136 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\WINHTTP" }, { "name": "DllBase", "value": "0x7ffed8a20000" } ], "repeated": 0, "id": 1137 }, { "timestamp": "2025-11-19 20:41:29,526", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 9, "id": 1138 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 1139 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "1", "pretty_value": "FILE_OPEN" } ], "repeated": 0, "id": 1140 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\winhttp" }, { "name": "BaseAddress", "value": "0x7ffed8a20000" }, { "name": "InitRoutine", "value": "0x7ffed8a6e130" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1141 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed5f49000" }, { "name": "ModuleName", "value": "winhttpcom.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1142 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed5f49000" }, { "name": "ModuleName", "value": "winhttpcom.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1143 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "winhttp.dll" }, { "name": "BaseAddress", "value": "0x7ffed8a20000" } ], "repeated": 0, "id": 1144 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\OnDemandConnRouteHelper" }, { "name": "DllBase", "value": "0x7ffecb2e0000" } ], "repeated": 0, "id": 1145 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\OnDemandConnRouteHelper.dll" }, { "name": "BaseAddress", "value": "0x7ffecb2e0000" } ], "repeated": 0, "id": 1146 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\OnDemandConnRouteHelper" }, { "name": "DllBase", "value": "0x7ffecb2e0000" } ], "repeated": 0, "id": 1147 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "3612", "caller": "0x7ffed8a7c1c1", "parentcaller": "0x7ffed8a7c28f", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003b8" }, { "name": "SubKey", "value": "TenantRestrictions\\Payload" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00000010", "pretty_value": "KEY_NOTIFY" }, { "name": "Handle", "value": "0x000003c8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TenantRestrictions\\Payload" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1148 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "3612", "caller": "0x7ffed8a7c3f0", "parentcaller": "0x7ffed8a7c331", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TenantRestrictions\\Payload\\" }, { "name": "NotifyFilter", "value": "0x10000004" }, { "name": "WatchSubtree", "value": "1" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 1149 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpSetOption", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x009811b0" }, { "name": "Option", "value": "0x0000004f" }, { "name": "Buffer", "value": "\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 1150 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpSetOption", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x009811b0" }, { "name": "Option", "value": "0x00000044" }, { "name": "Buffer", "value": "\\xe9\\xfd\\x00\\x00" } ], "repeated": 0, "id": 1151 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "3612", "caller": "0x7ffed8a7c1c1", "parentcaller": "0x7ffed8a7c791", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Policies\\Microsoft\\Windows\\TenantRestrictions\\Payload" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "Handle", "value": "0x000003d0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TenantRestrictions\\Payload" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1152 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpSetOption", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x009811b0" }, { "name": "Option", "value": "0x00000053" }, { "name": "Buffer", "value": "\\x00\\x00\\x00 " } ], "repeated": 0, "id": 1153 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "3612", "caller": "0x7ffee1091958", "parentcaller": "0x7ffee1143cec", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d0" }, { "name": "KeyInformation", "value": "\\xffb9\\xffea\\x16\\xffb6\\&\\xffda\\x01\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00,\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 1154 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "3612", "caller": "0x7ffed8a7c832", "parentcaller": "0x7ffed8a7b569", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d0" } ], "repeated": 0, "id": 1155 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpConnect", "status": true, "return": "0x00994610", "arguments": [ { "name": "SessionHandle", "value": "0x009811b0" }, { "name": "ServerName", "value": "pastebin.com" }, { "name": "ServerPort", "value": "443" } ], "repeated": 0, "id": 1156 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpOpenRequest", "status": true, "return": "0x009947b0", "arguments": [ { "name": "InternetHandle", "value": "0x00994610" }, { "name": "Verb", "value": "GET" }, { "name": "ObjectName", "value": "/raw/04TKQkE1" }, { "name": "Version", "value": "HTTP/1.1" }, { "name": "Referrer", "value": "" }, { "name": "Flags", "value": "0x00800080" } ], "repeated": 0, "id": 1157 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpSetOption", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x009947b0" }, { "name": "Option", "value": "0x0000004d" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1158 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpSetOption", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x009947b0" }, { "name": "Option", "value": "0x00000059" }, { "name": "Buffer", "value": "\n\\x00\\x00\\x00" } ], "repeated": 0, "id": 1159 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpSetOption", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x009947b0" }, { "name": "Option", "value": "0x0000005b" }, { "name": "Buffer", "value": "\\x00\\x00\\x01\\x00" } ], "repeated": 0, "id": 1160 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpSetOption", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x009947b0" }, { "name": "Option", "value": "0x0000005c" }, { "name": "Buffer", "value": "\\x00\\xa0\\x0f\\x00" } ], "repeated": 0, "id": 1161 }, { "timestamp": "2025-11-19 20:41:29,541", "thread_id": "1884", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\webio" }, { "name": "DllBase", "value": "0x7ffec7790000" } ], "repeated": 0, "id": 1162 }, { "timestamp": "2025-11-19 20:41:29,557", "thread_id": "1884", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\mswsock" }, { "name": "DllBase", "value": "0x7ffee0260000" } ], "repeated": 0, "id": 1163 }, { "timestamp": "2025-11-19 20:41:29,557", "thread_id": "1884", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 1164 }, { "timestamp": "2025-11-19 20:41:29,557", "thread_id": "1884", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\mswsock.dll" }, { "name": "BaseAddress", "value": "0x7ffee0260000" } ], "repeated": 0, "id": 1165 }, { "timestamp": "2025-11-19 20:41:29,557", "thread_id": "1884", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\IPHLPAPI" }, { "name": "DllBase", "value": "0x7ffedff50000" } ], "repeated": 0, "id": 1166 }, { "timestamp": "2025-11-19 20:41:29,557", "thread_id": "1884", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 1167 }, { "timestamp": "2025-11-19 20:41:29,557", "thread_id": "1884", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1168 }, { "timestamp": "2025-11-19 20:41:29,557", "thread_id": "1884", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\NSI" }, { "name": "DllBase", "value": "0x7ffee2110000" } ], "repeated": 0, "id": 1169 }, { "timestamp": "2025-11-19 20:41:29,557", "thread_id": "1884", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\WINNSI" }, { "name": "DllBase", "value": "0x7ffedae00000" } ], "repeated": 0, "id": 1170 }, { "timestamp": "2025-11-19 20:41:29,557", "thread_id": "3612", "caller": "0x7ffee34b3f7a", "parentcaller": "0x7ffee3350ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1171 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8b20000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1172 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8b20000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1173 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffed8a5ff36", "parentcaller": "0x7ffed8a5fde9", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x009ab5b0", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "SC_MANAGER_CONNECT" } ], "repeated": 0, "id": 1174 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffed8a5ff5e", "parentcaller": "0x7ffed8a5fde9", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x009ab700", "arguments": [ { "name": "ServiceControlManager", "value": "0x009ab5b0" }, { "name": "ServiceName", "value": "WinHttpAutoProxySvc" }, { "name": "DesiredAccess", "value": "0x00000094", "pretty_value": "SERVICE_QUERY_STATUS|SERVICE_START|SERVICE_INTERROGATE" } ], "repeated": 0, "id": 1175 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8b20000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1176 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8b20000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1177 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee10bef9e", "parentcaller": "0x7ffee32a6d74", "category": "threading", "api": "NtOpenThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000468" }, { "name": "DesiredAccess", "value": "0x00100010", "pretty_value": "THREAD_SET_CONTEXT|0x00100000" }, { "name": "ProcessId", "value": "1324" }, { "name": "ThreadId", "value": "118028008" } ], "repeated": 0, "id": 1178 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8b20000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1179 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8b20000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1180 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "4092", "caller": "0x7ffee32a6aa3", "parentcaller": "0x7ffee34d2dc9", "category": "threading", "api": "NtQueueApcThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessId", "value": "1324" }, { "name": "ThreadId", "value": "3612" }, { "name": "ThreadHandle", "value": "0x00000468" }, { "name": "ApcRoutine", "value": "0x7ffee32aded0" }, { "name": "Module", "value": "sechost.dll" } ], "repeated": 0, "id": 1181 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee10b30ce", "parentcaller": "0x7ffee32a8719", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1182 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee10b30ce", "parentcaller": "0x7ffee32a8719", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000468" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1183 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee10db62e", "parentcaller": "0x7ffee32a8746", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "250" } ], "repeated": 0, "id": 1184 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffed8a5fe9f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000464" } ], "repeated": 0, "id": 1185 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee34b3f7a", "parentcaller": "0x7ffee3350ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1186 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee338bf07", "parentcaller": "0x7ffee338be66", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1187 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee34b3f7a", "parentcaller": "0x7ffee3350ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1188 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "4092", "caller": "0x7ffee10b30ce", "parentcaller": "0x7ffed8a50b26", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000464" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1189 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "4092", "caller": "0x7ffee347c23a", "parentcaller": "0x7ffee347c30d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" } ], "repeated": 0, "id": 1190 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "4092", "caller": "0x7ffee347c23a", "parentcaller": "0x7ffee347c30d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046c" } ], "repeated": 0, "id": 1191 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "4092", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffed8a903e1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000045c" } ], "repeated": 0, "id": 1192 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "4092", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffed8a51ba7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000458" } ], "repeated": 0, "id": 1193 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "4092", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffed8a90fbf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000464" } ], "repeated": 0, "id": 1194 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "4092", "caller": "0x7ffee347c23a", "parentcaller": "0x7ffee34c37ea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000468" } ], "repeated": 0, "id": 1195 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05c74000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1196 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee22c2f9c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\mswsock.dll" }, { "name": "BaseAddress", "value": "0x7ffee0260000" } ], "repeated": 1, "id": 1197 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee22d00db", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\DNSAPI" }, { "name": "DllBase", "value": "0x7ffedff90000" } ], "repeated": 0, "id": 1198 }, { "timestamp": "2025-11-19 20:41:29,573", "thread_id": "3612", "caller": "0x7ffee34d7cc6", "parentcaller": "0x7ffee34addf7", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 1199 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d7cc6", "parentcaller": "0x7ffee34addf7", "category": "network", "api": "GetAddrInfoExW", "status": false, "return": "0x000003e5", "arguments": [ { "name": "Name", "value": "pastebin.com" }, { "name": "ServiceName", "value": "" } ], "repeated": 0, "id": 1200 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffac013", "parentcaller": "0x7ffedff9cb2c", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "System\\CurrentControlSet\\Services\\Tcpip\\Parameters" }, { "name": "Class", "value": "Class" }, { "name": "Access", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "Handle", "value": "0x00000490" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1201 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffac19f", "parentcaller": "0x7ffedff9cb2c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" }, { "name": "Handle", "value": "0x0000048c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" } ], "repeated": 0, "id": 1202 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "4092", "caller": "0x7ffee110026b", "parentcaller": "0x7ffee22cda6a", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000498" } ], "repeated": 0, "id": 1203 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "4092", "caller": "0x7ffee10c54eb", "parentcaller": "0x7ffee22cda9d", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1204 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffac1db", "parentcaller": "0x7ffedff9cb2c", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows NT\\DnsClient" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient" } ], "repeated": 0, "id": 1205 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffb178d", "parentcaller": "0x7ffedff9cb5e", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "System\\CurrentControlSet\\Services\\DNS" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DNS" } ], "repeated": 0, "id": 1206 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "QueryAdapterName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryAdapterName" } ], "repeated": 0, "id": 1207 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cee6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "DisableAdapterDomainName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableAdapterDomainName" } ], "repeated": 0, "id": 1208 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "UseDomainNameDevolution" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseDomainNameDevolution" } ], "repeated": 0, "id": 1209 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "UseDomainNameDevolution" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\UseDomainNameDevolution" } ], "repeated": 0, "id": 1210 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DomainNameDevolutionLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DomainNameDevolutionLevel" } ], "repeated": 0, "id": 1211 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "PrioritizeRecordData" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\PrioritizeRecordData" } ], "repeated": 0, "id": 1212 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "4092", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee10be6a1", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\rasadhlp" }, { "name": "DllBase", "value": "0x7ffed87c0000" } ], "repeated": 0, "id": 1213 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "AllowUnqualifiedQuery" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AllowUnqualifiedQuery" } ], "repeated": 0, "id": 1214 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "AllowUnqualifiedQuery" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\AllowUnqualifiedQuery" } ], "repeated": 0, "id": 1215 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "AppendToMultiLabelName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AppendToMultiLabelName" } ], "repeated": 0, "id": 1216 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "ScreenBadTlds" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenBadTlds" } ], "repeated": 0, "id": 1217 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "ScreenUnreachableServers" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenUnreachableServers" } ], "repeated": 0, "id": 1218 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "ScreenDefaultServers" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenDefaultServers" } ], "repeated": 0, "id": 1219 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DynamicServerQueryOrder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DynamicServerQueryOrder" } ], "repeated": 0, "id": 1220 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "FilterClusterIp" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\FilterClusterIp" } ], "repeated": 0, "id": 1221 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "WaitForNameErrorOnAll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\WaitForNameErrorOnAll" } ], "repeated": 0, "id": 1222 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "UseEdns" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseEdns" } ], "repeated": 0, "id": 1223 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DnsSecureNameQueryFallback" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback" } ], "repeated": 0, "id": 1224 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "EnableDAForAllNetworks" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableDAForAllNetworks" } ], "repeated": 0, "id": 1225 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DirectAccessQueryOrder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DirectAccessQueryOrder" } ], "repeated": 0, "id": 1226 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "QueryIpMatching" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryIpMatching" } ], "repeated": 0, "id": 1227 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "UseHostsFile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseHostsFile" } ], "repeated": 0, "id": 1228 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "AddrConfigControl" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AddrConfigControl" } ], "repeated": 0, "id": 1229 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DisableSmartNameResolution" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableSmartNameResolution" } ], "repeated": 0, "id": 1230 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "PreferLocalOverLowerBindingDNS" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\PreferLocalOverLowerBindingDNS" } ], "repeated": 0, "id": 1231 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "QueryNetBTFQDN" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryNetBTFQDN" } ], "repeated": 0, "id": 1232 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DisableSmartProtocolReordering" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableSmartProtocolReordering" } ], "repeated": 0, "id": 1233 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "UdpRecvBufferSize" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UdpRecvBufferSize" } ], "repeated": 0, "id": 1234 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DisableParallelAandAAAA" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableParallelAandAAAA" } ], "repeated": 0, "id": 1235 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DisableCoalescing" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableCoalescing" } ], "repeated": 0, "id": 1236 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "FilterVPNTrigger" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\FilterVPNTrigger" } ], "repeated": 0, "id": 1237 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "EnableMultiHomedRouteConflicts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMultiHomedRouteConflicts" } ], "repeated": 0, "id": 1238 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "ForceQueriesOverTcp" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ForceQueriesOverTcp" } ], "repeated": 0, "id": 1239 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "ShareTcpConnections" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ShareTcpConnections" } ], "repeated": 0, "id": 1240 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "RegistrationEnabled" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationEnabled" } ], "repeated": 0, "id": 1241 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cee6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "DisableDynamicUpdate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableDynamicUpdate" } ], "repeated": 0, "id": 1242 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "RegisterPrimaryName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegisterPrimaryName" } ], "repeated": 0, "id": 1243 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "RegisterAdapterName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegisterAdapterName" } ], "repeated": 0, "id": 1244 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cee6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "EnableAdapterDomainNameRegistration" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\EnableAdapterDomainNameRegistration" } ], "repeated": 0, "id": 1245 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "RegisterReverseLookup" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegisterReverseLookup" } ], "repeated": 0, "id": 1246 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cee6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "DisableReverseAddressRegistrations" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableReverseAddressRegistrations" } ], "repeated": 0, "id": 1247 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "RegisterWanAdapters" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegisterWanAdapters" } ], "repeated": 0, "id": 1248 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cee6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "DisableWanDynamicUpdate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableWanDynamicUpdate" } ], "repeated": 0, "id": 1249 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "RegistrationTtl" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationTtl" } ], "repeated": 0, "id": 1250 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cee6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "DefaultRegistrationTTL" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DefaultRegistrationTTL" } ], "repeated": 0, "id": 1251 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "RegistrationRefreshInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationRefreshInterval" } ], "repeated": 0, "id": 1252 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cee6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "DefaultRegistrationRefreshInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval" } ], "repeated": 0, "id": 1253 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "RegistrationMaxAddressCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationMaxAddressCount" } ], "repeated": 0, "id": 1254 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cee6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "MaxNumberOfAddressesToRegister" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister" } ], "repeated": 0, "id": 1255 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "UpdateSecurityLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UpdateSecurityLevel" } ], "repeated": 0, "id": 1256 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "UpdateSecurityLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\UpdateSecurityLevel" } ], "repeated": 0, "id": 1257 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "UpdateTopLevelDomainZones" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones" } ], "repeated": 0, "id": 1258 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DowncaseSpnCauseApiOwnerIsTooLazy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy" } ], "repeated": 0, "id": 1259 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "RegistrationOverwrite" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationOverwrite" } ], "repeated": 0, "id": 1260 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "MaxCacheSize" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCacheSize" } ], "repeated": 0, "id": 1261 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "MaxCacheTtl" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCacheTtl" } ], "repeated": 0, "id": 1262 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "MaxNegativeCacheTtl" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxNegativeCacheTtl" } ], "repeated": 0, "id": 1263 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "AdapterTimeoutLimit" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AdapterTimeoutLimit" } ], "repeated": 0, "id": 1264 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "ServerPriorityTimeLimit" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ServerPriorityTimeLimit" } ], "repeated": 0, "id": 1265 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "MaxCachedSockets" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCachedSockets" } ], "repeated": 0, "id": 1266 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DisableServerUnreachability" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableServerUnreachability" } ], "repeated": 0, "id": 1267 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "EnableMulticast" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMulticast" } ], "repeated": 0, "id": 1268 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "MulticastResponderFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastResponderFlags" } ], "repeated": 0, "id": 1269 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "MulticastSenderFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastSenderFlags" } ], "repeated": 0, "id": 1270 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "MulticastSenderMaxTimeout" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout" } ], "repeated": 0, "id": 1271 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "EnableMDNS" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMDNS" } ], "repeated": 0, "id": 1272 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DnsTest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsTest" } ], "repeated": 0, "id": 1273 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "UseCompartments" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseCompartments" } ], "repeated": 0, "id": 1274 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "CacheAllCompartments" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\CacheAllCompartments" } ], "repeated": 0, "id": 1275 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "UseNewRegistration" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseNewRegistration" } ], "repeated": 0, "id": 1276 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "ResolverRegistration" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ResolverRegistration" } ], "repeated": 0, "id": 1277 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "ResolverRegistrationOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ResolverRegistrationOnly" } ], "repeated": 0, "id": 1278 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "NewDhcpSrvRegistration" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\NewDhcpSrvRegistration" } ], "repeated": 0, "id": 1279 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DirectAccessPreferLocal" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DirectAccessPreferLocal" } ], "repeated": 0, "id": 1280 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DisableIdnEncoding" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableIdnEncoding" } ], "repeated": 0, "id": 1281 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "EnableIdnMapping" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableIdnMapping" } ], "repeated": 0, "id": 1282 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "ShortnameProxyDefault" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ShortnameProxyDefault" } ], "repeated": 0, "id": 1283 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DisableNRPTForAdapterRegistration" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableNRPTForAdapterRegistration" } ], "repeated": 0, "id": 1284 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "TestMode_AdaptiveTimeoutHistoryLength" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\TestMode_AdaptiveTimeoutHistoryLength" } ], "repeated": 0, "id": 1285 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "TestMode_AdaptiveTimeoutRecalculationInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\TestMode_AdaptiveTimeoutRecalculationInterval" } ], "repeated": 0, "id": 1286 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffabccb", "parentcaller": "0x7ffedffaaa57", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DnsQueryTimeouts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsQueryTimeouts" } ], "repeated": 0, "id": 1287 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffaa7e3", "parentcaller": "0x7ffedffaa179", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "DnsQueryTimeouts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DnsQueryTimeouts" } ], "repeated": 0, "id": 1288 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffabccb", "parentcaller": "0x7ffedffaaa57", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DnsQuickQueryTimeouts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts" } ], "repeated": 0, "id": 1289 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffaa7e3", "parentcaller": "0x7ffedffaa179", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "DnsQuickQueryTimeouts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts" } ], "repeated": 0, "id": 1290 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffac301", "parentcaller": "0x7ffedff9cbe1", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 1291 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffac316", "parentcaller": "0x7ffedff9cbe1", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1292 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffac013", "parentcaller": "0x7ffedffaa75e", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "System\\CurrentControlSet\\Services\\Tcpip\\Parameters" }, { "name": "Class", "value": "Class" }, { "name": "Access", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "Handle", "value": "0x0000048c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1293 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffac19f", "parentcaller": "0x7ffedffaa75e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" }, { "name": "Handle", "value": "0x00000490" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" } ], "repeated": 0, "id": 1294 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffac1db", "parentcaller": "0x7ffedffaa75e", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows NT\\DnsClient" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient" } ], "repeated": 0, "id": 1295 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffaa7e3", "parentcaller": "0x7ffedffa835a", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "Hostname" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname" } ], "repeated": 0, "id": 1296 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffaa88d", "parentcaller": "0x7ffedffa835a", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "Hostname" }, { "name": "Data", "value": "HOME-PC" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname" } ], "repeated": 0, "id": 1297 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffaa9d8", "parentcaller": "0x7ffedffa835a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1298 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffaa9ed", "parentcaller": "0x7ffedffa835a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 1299 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffac013", "parentcaller": "0x7ffedffa9bf3", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "System\\CurrentControlSet\\Services\\Tcpip\\Parameters" }, { "name": "Class", "value": "Class" }, { "name": "Access", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "Handle", "value": "0x00000490" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1300 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffac19f", "parentcaller": "0x7ffedffa9bf3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" }, { "name": "Handle", "value": "0x0000048c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" } ], "repeated": 0, "id": 1301 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffac1db", "parentcaller": "0x7ffedffa9bf3", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows NT\\DnsClient" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient" } ], "repeated": 0, "id": 1302 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffa9c33", "parentcaller": "0x7ffedffa8371", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\System\\DNSClient" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient" } ], "repeated": 0, "id": 1303 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffaa7e3", "parentcaller": "0x7ffedffa9c69", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "Domain" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Domain" } ], "repeated": 0, "id": 1304 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffaa88d", "parentcaller": "0x7ffedffa9c69", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "Domain" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Domain" } ], "repeated": 0, "id": 1305 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffac301", "parentcaller": "0x7ffedffa9ce8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 1306 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffac316", "parentcaller": "0x7ffedffa9ce8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1307 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffac013", "parentcaller": "0x7ffedffaa75e", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "System\\CurrentControlSet\\Services\\Tcpip\\Parameters" }, { "name": "Class", "value": "Class" }, { "name": "Access", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "Handle", "value": "0x0000048c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1308 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffac19f", "parentcaller": "0x7ffedffaa75e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" }, { "name": "Handle", "value": "0x00000490" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" } ], "repeated": 0, "id": 1309 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffac1db", "parentcaller": "0x7ffedffaa75e", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows NT\\DnsClient" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient" } ], "repeated": 0, "id": 1310 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffaa7e3", "parentcaller": "0x7ffedffa9b67", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "Hostname" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname" } ], "repeated": 0, "id": 1311 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffaa88d", "parentcaller": "0x7ffedffa9b67", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "Hostname" }, { "name": "Data", "value": "HOME-PC" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname" } ], "repeated": 0, "id": 1312 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffaa9d8", "parentcaller": "0x7ffedffa9b67", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1313 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffedffaa9ed", "parentcaller": "0x7ffedffa9b67", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 1314 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee2111793", "parentcaller": "0x7ffedff5207d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003ec" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xf7\\xdf\\xfe\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xea\\x08\\x07\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xf7\\xdf\\xfe\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xea\\x08\\x07\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1315 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee21117c7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 1316 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee004f000" }, { "name": "ModuleName", "value": "DNSAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1317 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee004f000" }, { "name": "ModuleName", "value": "DNSAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1318 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34b3f7a", "parentcaller": "0x7ffee3350ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1319 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee3350cd1", "parentcaller": "0x7ffee337e1fa", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000490" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1320 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee110026b", "parentcaller": "0x7ffee3350daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000048c" } ], "repeated": 0, "id": 1321 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34a8cde", "parentcaller": "0x7ffee34e9c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "L\\xc5\\x04\\x00\\x00\\x00\\x00\\x00\\xc2o\\x01\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x8f\\x94\\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1322 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6e46", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "X\\xa6\\x98\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1323 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6e9b", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\xa8\\x98\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1324 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6ec0", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1325 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6f0e", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x98\\xb7\\x9a\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1326 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6f37", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1327 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6f8f", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xf8\\xa8\\x98\\x00\\x00\\x00\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1do\\x01\\x00" } ], "repeated": 0, "id": 1328 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d7048", "parentcaller": "0x7ffee34d6fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x9b\\x98\\xc4\\xfe\\x7f\\x00\\x00+\\x06q\\xc4\\xfe\\x7f\\x00\\x00\\xd2\\xe4\\xf9m\\xe5\\xb8\\x00\\x00\\x80\\xba\\x94\\xc4\\xfe\\x7f\\x00\\x00`\\xe1\\x08\\x07\\x00\\x00\\x00\\x00X\\xe1\\x08\\x07\\x00\\x00\\x00\\x00(\\xe1\\x08\\x07\\x00\\x00\\x00\\x00H\\xe1\\x08\\x07" } ], "repeated": 0, "id": 1329 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d707b", "parentcaller": "0x7ffee34d6fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\xa8\\x98\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19{r\\xc4\\xfe\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00H\\xdf\\x08\\x07\\x00\\x00\\x00\\x00\\x8c\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00i\\xa3\\xfe\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xaa\n\\x95\\xc4" } ], "repeated": 0, "id": 1330 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34a8cde", "parentcaller": "0x7ffee34a953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "L\\xc5\\x04\\x00\\x00\\x00\\x00\\x00\\xc2o\\x01\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x8f\\x94\\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1331 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6e46", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "X\\xa9\\x98\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1332 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6e9b", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xc0\\xa9\\x98\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00e\\x00m\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00p\\x00n\\x00r\\x00p\\x00n\\x00s\\x00p\\x00.\\x00d\\x00l\\x00l\\x00,\\x00-\\x001\\x000\\x000\\x001\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1333 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6ec0", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1334 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6f0e", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x08\\xb1\\x9a\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1335 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6f37", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1336 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05c7a000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1337 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6f8f", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xa8\\xa3\\xc7\\x05\\x00\\x00\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1do\\x01\\x00" } ], "repeated": 0, "id": 1338 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d7048", "parentcaller": "0x7ffee34d6fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x9b\\x98\\xc4\\xfe\\x7f\\x00\\x00+\\x06q\\xc4\\xfe\\x7f\\x00\\x00r\\xe9\\xf9m\\xe5\\xb8\\x00\\x00\\x80\\xba\\x94\\xc4\\xfe\\x7f\\x00\\x00\\xc0\\xdd\\x08\\x07\\x00\\x00\\x00\\x00\\xb8\\xdd\\x08\\x07\\x00\\x00\\x00\\x00\\x88\\xdd\\x08\\x07\\x00\\x00\\x00\\x00\\xa8\\xdd\\x08\\x07" } ], "repeated": 0, "id": 1339 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d707b", "parentcaller": "0x7ffee34d6fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xa3\\xc7\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19{r\\xc4\\xfe\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xa8\\xdb\\x08\\x07\\x00\\x00\\x00\\x00\\x8c\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00i\\xa3\\xfe\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xaa\n\\x95\\xc4" } ], "repeated": 0, "id": 1340 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee3350e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 1341 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee3350e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1342 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34b3f7a", "parentcaller": "0x7ffee3350ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1343 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee3350cd1", "parentcaller": "0x7ffee3381530", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000048c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1344 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee110026b", "parentcaller": "0x7ffee3350daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000490" } ], "repeated": 0, "id": 1345 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34a8cde", "parentcaller": "0x7ffee34e9c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "L\\xc5\\x04\\x00\\x00\\x00\\x00\\x00\\xc2o\\x01\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x8f\\x94\\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1346 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6e46", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "X\\xa6\\x98\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1347 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6e9b", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\xa8\\x98\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1348 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6ec0", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1349 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6f0e", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xd8\\xb0\\x9a\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1350 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6f37", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1351 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6f8f", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xf8\\xa8\\x98\\x00\\x00\\x00\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1do\\x01\\x00" } ], "repeated": 0, "id": 1352 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d7048", "parentcaller": "0x7ffee34d6fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x9b\\x98\\xc4\\xfe\\x7f\\x00\\x00+\\x06q\\xc4\\xfe\\x7f\\x00\\x00r\\xeb\\xf9m\\xe5\\xb8\\x00\\x00\\x80\\xba\\x94\\xc4\\xfe\\x7f\\x00\\x00\\xc0\\xdf\\x08\\x07\\x00\\x00\\x00\\x00\\xb8\\xdf\\x08\\x07\\x00\\x00\\x00\\x00\\x88\\xdf\\x08\\x07\\x00\\x00\\x00\\x00\\xa8\\xdf\\x08\\x07" } ], "repeated": 0, "id": 1353 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d707b", "parentcaller": "0x7ffee34d6fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\xa8\\x98\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19{r\\xc4\\xfe\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xa8\\xdd\\x08\\x07\\x00\\x00\\x00\\x00\\x90\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00i\\xa3\\xfe\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xaa\n\\x95\\xc4" } ], "repeated": 0, "id": 1354 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34a8cde", "parentcaller": "0x7ffee34a953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "L\\xc5\\x04\\x00\\x00\\x00\\x00\\x00\\xc2o\\x01\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x8f\\x94\\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1355 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6e46", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "X\\xa9\\x98\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1356 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6e9b", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xc0\\xa9\\x98\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00e\\x00m\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00p\\x00n\\x00r\\x00p\\x00n\\x00s\\x00p\\x00.\\x00d\\x00l\\x00l\\x00,\\x00-\\x001\\x000\\x000\\x001\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1357 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6ec0", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1358 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6f0e", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x08\\xb1\\x9a\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1359 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6f37", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1360 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d6f8f", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "h\\x9b\\xc7\\x05\\x00\\x00\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1do\\x01\\x00" } ], "repeated": 0, "id": 1361 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d7048", "parentcaller": "0x7ffee34d6fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x9b\\x98\\xc4\\xfe\\x7f\\x00\\x00+\\x06q\\xc4\\xfe\\x7f\\x00\\x00\\x92\\xef\\xf9m\\xe5\\xb8\\x00\\x00\\x80\\xba\\x94\\xc4\\xfe\\x7f\\x00\\x00 \\xdc\\x08\\x07\\x00\\x00\\x00\\x00\\x18\\xdc\\x08\\x07\\x00\\x00\\x00\\x00\\xe8\\xdb\\x08\\x07\\x00\\x00\\x00\\x00\\x08\\xdc\\x08\\x07" } ], "repeated": 0, "id": 1362 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34d707b", "parentcaller": "0x7ffee34d6fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x9b\\xc7\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19{r\\xc4\\xfe\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x08\\xda\\x08\\x07\\x00\\x00\\x00\\x00\\x90\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00i\\xa3\\xfe\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xaa\n\\x95\\xc4" } ], "repeated": 0, "id": 1363 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34ed41f", "parentcaller": "0x7ffee34a99ff", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xdd\\x08\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xe2\\x08\\x07\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\xf1 \\xf9-" } ], "repeated": 0, "id": 1364 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34ed48d", "parentcaller": "0x7ffee34a99ff", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "2" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1365 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34ed4da", "parentcaller": "0x7ffee34a99ff", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "2" }, { "name": "TokenInformation", "value": "\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xed\\xc6\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\xb4\\xed\\xc6\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\xc0\\xed\\xc6\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x01\\x00\\x1f\\x00\\xcc\\xed\\xc6\\x05\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00 \\x02\\x00\\x00\\xdc\\xed\\xc6\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\xec\\xed\\xc6\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\xed\\xc6\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\xee\\xc6\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xee\\xc6\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\xee\\xc6\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xee\\xc6\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\xc0\\x00\\x00\\x00\\x00<\\xee\\xc6\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xee\\xc6\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xee\\xc6\\x05\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f" } ], "repeated": 0, "id": 1366 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee3350e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1367 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee3350e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 1368 }, { "timestamp": "2025-11-19 20:41:29,588", "thread_id": "3612", "caller": "0x7ffee34b3f7a", "parentcaller": "0x7ffee3350ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1369 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "3612", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee22cb9b2", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\fwpuclnt" }, { "name": "DllBase", "value": "0x7ffed8cb0000" } ], "repeated": 0, "id": 1370 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "3612", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee22cb9b2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\FWPUCLNT.DLL" }, { "name": "BaseAddress", "value": "0x7ffed8cb0000" } ], "repeated": 0, "id": 1371 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "3612", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee22cb9b2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffed8cb0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1372 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "3612", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffee22cb9e9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "fwpuclnt.dll" }, { "name": "ModuleHandle", "value": "0x7ffed8cb0000" }, { "name": "FunctionName", "value": "NamespaceCallout" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffed8cb2900" } ], "repeated": 0, "id": 1373 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "3612", "caller": "0x7ffee110026b", "parentcaller": "0x7ffed8cb35f2", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000048c" } ], "repeated": 0, "id": 1374 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "3612", "caller": "0x7ffed8cb361f", "parentcaller": "0x7ffed8cb2c4c", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1375 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "3612", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffed8cb363d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1376 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "3612", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05c7c000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1377 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "3612", "caller": "0x7ffee34b3f7a", "parentcaller": "0x7ffee3350ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1378 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "3612", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05c81000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1379 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "3612", "caller": "0x7ffee10bf84f", "parentcaller": "0x7ffed8cb2752", "category": "synchronization", "api": "NtOpenEvent", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b0" }, { "name": "EventName", "value": "Global\\BFE_Notify_Event_{87f55029-151d-4aee-b1b9-e6fd4a1f11bb}" } ], "repeated": 0, "id": 1380 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "3612", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffed8cb2d61", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b0" } ], "repeated": 0, "id": 1381 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "3612", "caller": "0x7ffee22c4f08", "parentcaller": "0x7ffee22c739f", "category": "network", "api": "socket", "status": true, "return": "0x000004b0", "arguments": [ { "name": "af", "value": "23", "pretty_value": "AF_INET6" }, { "name": "type", "value": "2", "pretty_value": "SOCK_DGRAM" }, { "name": "protocol", "value": "0" }, { "name": "socket", "value": "1200" } ], "repeated": 0, "id": 1382 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "3612", "caller": "0x7ffee0265419", "parentcaller": "0x7ffee22c54fa", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x000004b0" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "IoControlCode", "value": "0x000120bf", "pretty_value": "IOCTL_AFD_DEFER_ACCEPT" }, { "name": "InputBuffer", "value": "\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\xc8\\x01\\x00\\x00\\x00\\x10\\xb6\\x9a\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x02\\x00\\x00\\x00s\\x00t\\x00`~\\x9a\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00o\\x00m\\x00|~\\x9a\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1383 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "3612", "caller": "0x7ffee02680fc", "parentcaller": "0x7ffee02654a3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1384 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "3612", "caller": "0x7ffee22c4f8a", "parentcaller": "0x7ffee22c739f", "category": "network", "api": "closesocket", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1200" } ], "repeated": 0, "id": 1385 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffec77b1ce0", "parentcaller": "0x7ffec77b1bc8", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1386 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffec77b0ac2", "parentcaller": "0x7ffec77af117", "category": "network", "api": "WSASocketW", "status": true, "return": "0x0000048c", "arguments": [ { "name": "af", "value": "2", "pretty_value": "AF_INET" }, { "name": "type", "value": "1", "pretty_value": "SOCK_STREAM" }, { "name": "protocol", "value": "6", "pretty_value": "IPPROTO_TCP" }, { "name": "socket", "value": "1164" } ], "repeated": 0, "id": 1387 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffec77b0b3b", "parentcaller": "0x7ffec77af117", "category": "network", "api": "setsockopt", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1164" }, { "name": "level", "value": "0x7ffe0000ffff" }, { "name": "optname", "value": "0x00003007" }, { "name": "optval", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1388 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffec77b0b82", "parentcaller": "0x7ffec77af117", "category": "network", "api": "bind", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1164" }, { "name": "ip", "value": "0.0.0.0" }, { "name": "port", "value": "0" } ], "repeated": 0, "id": 1389 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffec77b0bb8", "parentcaller": "0x7ffec77af117", "category": "network", "api": "setsockopt", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1164" }, { "name": "level", "value": "0x7ffe00000006" }, { "name": "optname", "value": "0x00000001" }, { "name": "optval", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1390 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee10b30ce", "parentcaller": "0x7ffee22c9653", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1391 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee10b30ce", "parentcaller": "0x7ffee22c9653", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1392 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05c84000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1393 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee10b30ce", "parentcaller": "0x7ffee22c9653", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1394 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee10b30ce", "parentcaller": "0x7ffee22c9653", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1395 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee22d0ed8", "parentcaller": "0x7ffee22d0d4d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee0260000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\mswsock.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 1396 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34a84c4", "parentcaller": "0x7ffee34bd136", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 1397 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34bbb2a", "parentcaller": "0x7ffee34bb99e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004b0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\mswsock.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1398 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34bbb82", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004b0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\mswsock.dll.mui" } ], "repeated": 0, "id": 1399 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34bbbcc", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05420000" }, { "name": "SectionOffset", "value": "0x06c8da60" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1400 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34bbbdc", "parentcaller": "0x7ffee34bb99e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" } ], "repeated": 0, "id": 1401 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee22d0ed8", "parentcaller": "0x7ffee22d0d4d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee0260000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\mswsock.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 4, "id": 1402 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee22d0ed8", "parentcaller": "0x7ffee22d0d4d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x05440002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wshqos.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 1403 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34a84c4", "parentcaller": "0x7ffee34bd136", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 1404 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34bbb2a", "parentcaller": "0x7ffee34bb99e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004b4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1405 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34bbb82", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004b4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" } ], "repeated": 0, "id": 1406 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34bbbcc", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05450000" }, { "name": "SectionOffset", "value": "0x06c8da60" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1407 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34bbbdc", "parentcaller": "0x7ffee34bb99e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" } ], "repeated": 0, "id": 1408 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34da871", "parentcaller": "0x7ffee10bad69", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05450000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 1409 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34da87f", "parentcaller": "0x7ffee10bad69", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" } ], "repeated": 0, "id": 1410 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee10bad9e", "parentcaller": "0x7ffee22d0f45", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05440000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 1411 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee22d0ed8", "parentcaller": "0x7ffee22d0d4d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x05440002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wshqos.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 1412 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34a84c4", "parentcaller": "0x7ffee34bd136", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 1413 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34bbb2a", "parentcaller": "0x7ffee34bb99e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004b4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1414 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34bbb82", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004b4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" } ], "repeated": 0, "id": 1415 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34bbbcc", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05450000" }, { "name": "SectionOffset", "value": "0x06c8da60" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1416 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34bbbdc", "parentcaller": "0x7ffee34bb99e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" } ], "repeated": 0, "id": 1417 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34da871", "parentcaller": "0x7ffee10bad69", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05450000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 1418 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34da87f", "parentcaller": "0x7ffee10bad69", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" } ], "repeated": 0, "id": 1419 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee10bad9e", "parentcaller": "0x7ffee22d0f45", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05440000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 1420 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee22d0ed8", "parentcaller": "0x7ffee22d0d4d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x05440002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wshqos.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 1421 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34a84c4", "parentcaller": "0x7ffee34bd136", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 1422 }, { "timestamp": "2025-11-19 20:41:29,604", "thread_id": "4092", "caller": "0x7ffee34bbb2a", "parentcaller": "0x7ffee34bb99e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004b4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1423 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee34bbb82", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004b4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" } ], "repeated": 0, "id": 1424 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee34bbbcc", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05450000" }, { "name": "SectionOffset", "value": "0x06c8da60" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1425 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee34bbbdc", "parentcaller": "0x7ffee34bb99e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" } ], "repeated": 0, "id": 1426 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee34da871", "parentcaller": "0x7ffee10bad69", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05450000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 1427 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee34da87f", "parentcaller": "0x7ffee10bad69", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" } ], "repeated": 0, "id": 1428 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee10bad9e", "parentcaller": "0x7ffee22d0f45", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05440000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 1429 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee22d0ed8", "parentcaller": "0x7ffee22d0d4d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x05440002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wshqos.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 1430 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee34a84c4", "parentcaller": "0x7ffee34bd136", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 1431 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee34bbb2a", "parentcaller": "0x7ffee34bb99e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004b4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1432 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee34bbb82", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004b4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" } ], "repeated": 0, "id": 1433 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee34bbbcc", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05450000" }, { "name": "SectionOffset", "value": "0x06c8da60" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1434 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee34bbbdc", "parentcaller": "0x7ffee34bb99e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" } ], "repeated": 0, "id": 1435 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee34da871", "parentcaller": "0x7ffee10bad69", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05450000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 1436 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee34da87f", "parentcaller": "0x7ffee10bad69", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" } ], "repeated": 0, "id": 1437 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee10bad9e", "parentcaller": "0x7ffee22d0f45", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05440000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 1438 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee167e28a", "parentcaller": "0x7ffec77b0c99", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000048c" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "FileInformationClass", "value": "41", "pretty_value": "FileIoStatusBlockRangeInformation" }, { "name": "FileInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1439 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee34e5ebd", "parentcaller": "0x7ffee34e5dd8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000048c" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf85\\x96\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1440 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffec77afc47", "parentcaller": "0x7ffec77af179", "category": "network", "api": "ConnectEx", "status": false, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1164" }, { "name": "SendBuffer", "value": "" }, { "name": "ip", "value": "172.66.171.73" }, { "name": "port", "value": "443" } ], "repeated": 0, "id": 1441 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee22d2f0d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000464" } ], "repeated": 0, "id": 1442 }, { "timestamp": "2025-11-19 20:41:29,620", "thread_id": "4092", "caller": "0x7ffee347c23a", "parentcaller": "0x7ffee34c37ea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000458" } ], "repeated": 0, "id": 1443 }, { "timestamp": "2025-11-19 20:41:29,651", "thread_id": "4092", "caller": "0x7ffec77b1244", "parentcaller": "0x7ffec77ae8eb", "category": "network", "api": "setsockopt", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1164" }, { "name": "level", "value": "0x7ffe0000ffff" }, { "name": "optname", "value": "0x00007010" }, { "name": "optval", "value": "" } ], "repeated": 0, "id": 1444 }, { "timestamp": "2025-11-19 20:41:29,651", "thread_id": "4092", "caller": "0x7ffee0264869", "parentcaller": "0x7ffee22d0970", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000048c" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "IoControlCode", "value": "0x0001202f", "pretty_value": "IOCTL_AFD_GET_SOCK_NAME" }, { "name": "InputBuffer", "value": "" }, { "name": "OutputBuffer", "value": "\\x02\\x00\\xc2\\x11\\xc0\\xa8\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1445 }, { "timestamp": "2025-11-19 20:41:29,651", "thread_id": "4092", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee0a43311", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\schannel" }, { "name": "DllBase", "value": "0x7ffedfaa0000" } ], "repeated": 0, "id": 1446 }, { "timestamp": "2025-11-19 20:41:29,651", "thread_id": "4092", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee0a43311", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\schannel.dll" }, { "name": "BaseAddress", "value": "0x7ffedfaa0000" } ], "repeated": 0, "id": 1447 }, { "timestamp": "2025-11-19 20:41:29,651", "thread_id": "4092", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee0a43311", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffedfaa0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\schannel.DLL" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1448 }, { "timestamp": "2025-11-19 20:41:29,651", "thread_id": "4092", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffee0a4345b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "schannel.DLL" }, { "name": "ModuleHandle", "value": "0x7ffedfaa0000" }, { "name": "FunctionName", "value": "SpUserModeInitialize" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffedfab3ec0" } ], "repeated": 0, "id": 1449 }, { "timestamp": "2025-11-19 20:41:29,651", "thread_id": "4092", "caller": "0x7ffedfab3f81", "parentcaller": "0x7ffedfab3efe", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "System\\CurrentControlSet\\Control\\SecurityProviders\\Schannel" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "Handle", "value": "0x000004d4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\Schannel" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1450 }, { "timestamp": "2025-11-19 20:41:29,651", "thread_id": "4092", "caller": "0x7ffedfab3fd0", "parentcaller": "0x7ffedfab3efe", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004d4" }, { "name": "ValueName", "value": "UserContextLockCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SCHANNEL\\UserContextLockCount" } ], "repeated": 0, "id": 1451 }, { "timestamp": "2025-11-19 20:41:29,651", "thread_id": "4092", "caller": "0x7ffedfab4043", "parentcaller": "0x7ffedfab3efe", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004d4" }, { "name": "ValueName", "value": "UserContextListCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SCHANNEL\\UserContextListCount" } ], "repeated": 0, "id": 1452 }, { "timestamp": "2025-11-19 20:41:29,651", "thread_id": "4092", "caller": "0x7ffedfab4080", "parentcaller": "0x7ffedfab3efe", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d4" } ], "repeated": 0, "id": 1453 }, { "timestamp": "2025-11-19 20:41:29,651", "thread_id": "4092", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05c86000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1454 }, { "timestamp": "2025-11-19 20:41:29,651", "thread_id": "4092", "caller": "0x7ffee0a45563", "parentcaller": "0x7ffee0a451d8", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p2\\x00\\x00\\x00\\x00\\x00,\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "4092" } ], "repeated": 0, "id": 1455 }, { "timestamp": "2025-11-19 20:41:29,651", "thread_id": "4092", "caller": "0x7ffee0a46943", "parentcaller": "0x7ffee0a45ca2", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p2\\x00\\x00\\x00\\x00\\x00,\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "4092" } ], "repeated": 0, "id": 1456 }, { "timestamp": "2025-11-19 20:41:29,651", "thread_id": "4092", "caller": "0x7ffec77be76b", "parentcaller": "0x7ffec779c9ba", "category": "network", "api": "WSASend", "status": true, "return": "0x00000000", "arguments": [ { "name": "Socket", "value": "1164" }, { "name": "Buffer", "value": "\\x16\\x03\\x03\\x00\\xae\\x01\\x00\\x00\\xaa\\x03\\x03i\\x1e+y\\xeb\\x84\\x9f\\x05\\x99([\\xe8\\x86\\xec\\x9b\\x88\\xe3\\x87l'j,\\x90d\\x05J\\xd7\\xf5\\xb7\\xb3\\xcc\\xdb\\x00\\x00&\\xc0,\\xc0+\\xc00\\xc0/\\xc0$\\xc0#\\xc0(\\xc0'\\xc0\n\\xc0\t\\xc0\\x14\\xc0\\x13\\x00\\x9d\\x00\\x9c\\x00=\\x00<\\x005\\x00/\\x00\n\\x01\\x00\\x00[\\x00\\x00\\x00\\x11\\x00\\x0f\\x00\\x00\\x0cpastebin.com\\x00\\x05\\x00\\x05\\x01\\x00\\x00\\x00\\x00\\x00\n\\x00\\x08\\x00\\x06\\x00\\x1d\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00\\x00\r\\x00\\x1a\\x00\\x18\\x08\\x04\\x08\\x05\\x08\\x06\\x04\\x01\\x05\\x01\\x02\\x01\\x04\\x03\\x05\\x03\\x02\\x03\\x02\\x02\\x06\\x01\\x06\\x03\\x00#\\x00\\x00\\x00\\x17\\x00\\x00\\xff\\x01\\x00\\x01\\x00" } ], "repeated": 0, "id": 1457 }, { "timestamp": "2025-11-19 20:41:29,651", "thread_id": "4092", "caller": "0x7ffec77bb648", "parentcaller": "0x7ffec779c7cd", "category": "network", "api": "WSARecv", "status": false, "return": "0xffffffffffffffff", "arguments": [ { "name": "socket", "value": "1164" } ], "repeated": 0, "id": 1458 }, { "timestamp": "2025-11-19 20:41:29,698", "thread_id": "4092", "caller": "0x7ffee0a46943", "parentcaller": "0x7ffee0a45ca2", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p2\\x00\\x00\\x00\\x00\\x00,\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "4092" } ], "repeated": 0, "id": 1459 }, { "timestamp": "2025-11-19 20:41:29,745", "thread_id": "4092", "caller": "0x7ffec77be76b", "parentcaller": "0x7ffec779c9ba", "category": "network", "api": "WSASend", "status": true, "return": "0x00000000", "arguments": [ { "name": "Socket", "value": "1164" }, { "name": "Buffer", "value": "\\x16\\x03\\x03\\x00%\\x10\\x00\\x00! \\xb9\\xa4|\\x8e\\xf2>\\xc6\\x9d\\xc5\\xf9\\xcf\\xd9?H\\x87\\xe5\\xd9\\x06\\xfaF\\xee\\x99n\\xd9\\xa0%\\xd2\\x92H\\x1e\\x02\\x1f\\x14\\x03\\x03\\x00\\x01\\x01\\x16\\x03\\x03\\x00(\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00c]\\xa6\\xd6w\\x96ORw{S@\\x0e_\\x1a\\x12\\xc0\\xe4\\xe6`\\xd0\\xaa\\x7f\\xb7H\\xef^l\\xca\\x86\\xb94" } ], "repeated": 0, "id": 1460 }, { "timestamp": "2025-11-19 20:41:29,745", "thread_id": "4092", "caller": "0x7ffec77bb648", "parentcaller": "0x7ffec779c7cd", "category": "network", "api": "WSARecv", "status": false, "return": "0xffffffffffffffff", "arguments": [ { "name": "socket", "value": "1164" } ], "repeated": 0, "id": 1461 }, { "timestamp": "2025-11-19 20:41:29,776", "thread_id": "4092", "caller": "0x7ffee0a46943", "parentcaller": "0x7ffee0a45ca2", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p2\\x00\\x00\\x00\\x00\\x00,\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "4092" } ], "repeated": 0, "id": 1462 }, { "timestamp": "2025-11-19 20:41:29,776", "thread_id": "4092", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05c88000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1463 }, { "timestamp": "2025-11-19 20:41:29,776", "thread_id": "4092", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffedfab5583", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "sspicli.dll" }, { "name": "BaseAddress", "value": "0x7ffee0a40000" } ], "repeated": 0, "id": 1464 }, { "timestamp": "2025-11-19 20:41:29,776", "thread_id": "4092", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffedfab5583", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee0a40000", "arguments": [ { "name": "lpLibFileName", "value": "sspicli.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1465 }, { "timestamp": "2025-11-19 20:41:29,776", "thread_id": "4092", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffedfab55a5", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SspiCli.dll" }, { "name": "ModuleHandle", "value": "0x7ffee0a40000" }, { "name": "FunctionName", "value": "FreeContextBuffer" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee0a44820" } ], "repeated": 0, "id": 1466 }, { "timestamp": "2025-11-19 20:41:29,776", "thread_id": "4092", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffedfab55c7", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\mskeyprotect" }, { "name": "DllBase", "value": "0x7ffecb060000" } ], "repeated": 0, "id": 1467 }, { "timestamp": "2025-11-19 20:41:29,776", "thread_id": "4092", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffedfab55c7", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\NTASN1" }, { "name": "DllBase", "value": "0x7ffee0530000" } ], "repeated": 0, "id": 1468 }, { "timestamp": "2025-11-19 20:41:29,776", "thread_id": "4092", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffedfab55c7", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "mskeyprotect.dll" }, { "name": "BaseAddress", "value": "0x7ffecb060000" } ], "repeated": 0, "id": 1469 }, { "timestamp": "2025-11-19 20:41:29,776", "thread_id": "4092", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffedfab55c7", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffecb060000", "arguments": [ { "name": "lpLibFileName", "value": "mskeyprotect.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 1470 }, { "timestamp": "2025-11-19 20:41:29,776", "thread_id": "4092", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffedfab55e9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "mskeyprotect.dll" }, { "name": "ModuleHandle", "value": "0x7ffecb060000" }, { "name": "FunctionName", "value": "KeyFileProtectSessionTicket" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecb0674d0" } ], "repeated": 0, "id": 1471 }, { "timestamp": "2025-11-19 20:41:29,776", "thread_id": "4092", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffedfab560a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "mskeyprotect.dll" }, { "name": "ModuleHandle", "value": "0x7ffecb060000" }, { "name": "FunctionName", "value": "KeyFileUnprotectSessionTicket" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecb0679b0" } ], "repeated": 0, "id": 1472 }, { "timestamp": "2025-11-19 20:41:29,776", "thread_id": "4092", "caller": "0x7ffee352e53f", "parentcaller": "0x7ffee348faf7", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 1473 }, { "timestamp": "2025-11-19 20:41:29,776", "thread_id": "4092", "caller": "0x7ffee3485157", "parentcaller": "0x7ffee34843ea", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "ncrypt.dll" } ], "repeated": 0, "id": 1474 }, { "timestamp": "2025-11-19 20:41:29,776", "thread_id": "4092", "caller": "0x7ffee34cf37b", "parentcaller": "0x7ffee34cf207", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Temp\\ncrypt.dll" } ], "repeated": 0, "id": 1475 }, { "timestamp": "2025-11-19 20:41:29,776", "thread_id": "4092", "caller": "0x7ffee34cf37b", "parentcaller": "0x7ffee34cf207", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ncrypt.dll" } ], "repeated": 0, "id": 1476 }, { "timestamp": "2025-11-19 20:41:29,776", "thread_id": "4092", "caller": "0x7ffee34cfc9c", "parentcaller": "0x7ffee34cf7b0", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000524" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ncrypt.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1477 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee34cfcfe", "parentcaller": "0x7ffee34cf7b0", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000528" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000524" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ncrypt.dll" } ], "repeated": 0, "id": 1478 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee3484d42", "parentcaller": "0x7ffee3484aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000528" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0570000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00027000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1479 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee347fee4", "parentcaller": "0x7ffee347fad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0592000" }, { "name": "ModuleName", "value": "ncrypt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1480 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee3485082", "parentcaller": "0x7ffee34879d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0589000" }, { "name": "ModuleName", "value": "ncrypt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1481 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee34cfd68", "parentcaller": "0x7ffee34cf7b0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000528" } ], "repeated": 0, "id": 1482 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee34cfd71", "parentcaller": "0x7ffee34cf7b0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 1483 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee34b7bac", "parentcaller": "0x7ffee34a288a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0589000" }, { "name": "ModuleName", "value": "ncrypt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1484 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee34b7bac", "parentcaller": "0x7ffee34a288a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ncrypt" }, { "name": "DllBase", "value": "0x7ffee0570000" } ], "repeated": 0, "id": 1485 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee34d7cc6", "parentcaller": "0x7ffee34addf7", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 4, "id": 1486 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0592000" }, { "name": "ModuleName", "value": "ncrypt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1487 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0592000" }, { "name": "ModuleName", "value": "ncrypt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1488 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\ncrypt" }, { "name": "BaseAddress", "value": "0x7ffee0570000" }, { "name": "InitRoutine", "value": "0x7ffee0576200" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1489 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfb33000" }, { "name": "ModuleName", "value": "schannel.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1490 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfb33000" }, { "name": "ModuleName", "value": "schannel.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1491 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0592000" }, { "name": "ModuleName", "value": "ncrypt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1492 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0592000" }, { "name": "ModuleName", "value": "ncrypt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1493 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee14e6f25", "parentcaller": "0x7ffee14e4f88", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000178" }, { "name": "HandleName", "value": "\\Device\\KsecDD" }, { "name": "IoControlCode", "value": "0x00390400" }, { "name": "InputBuffer", "value": "M<+\\x1a\\x00\\x00\\x02\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x02\\x00\\x01\\x00\\xfe\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00 \\x00S\\x00S\\x00L\\x00 \\x00P\\x00r\\x00o\\x00t\\x00o\\x00c\\x00o\\x00l\\x00 \\x00P\\x00r\\x00o\\x00v\\x00i\\x00d\\x00e\\x00r\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x01\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xffP\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00c\\x00r\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xffM\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00 \\x00S\\x00S\\x00L\\x00 \\x00P\\x00r\\x00o\\x00t\\x00o\\x00c\\x00o\\x00l\\x00 \\x00P\\x00r\\x00o\\x00v\\x00i\\x00d\\x00e\\x00r\\x00\\x00\\x00\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00n\\x00c\\x00r\\x00y\\x00p\\x00t\\x00s\\x00s\\x00l\\x00p\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1494 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee0574501", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\ncryptsslp" }, { "name": "DllBase", "value": "0x7ffecb1a0000" } ], "repeated": 0, "id": 1495 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee0574501", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ncryptsslp.dll" }, { "name": "BaseAddress", "value": "0x7ffecb1a0000" } ], "repeated": 0, "id": 1496 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee0574501", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffecb1a0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\ncryptsslp.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1497 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffee05741ce", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ncryptsslp.dll" }, { "name": "ModuleHandle", "value": "0x7ffecb1a0000" }, { "name": "FunctionName", "value": "GetSChannelInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecb1a1990" } ], "repeated": 0, "id": 1498 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee14e6f25", "parentcaller": "0x7ffee14e4f88", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000178" }, { "name": "HandleName", "value": "\\Device\\KsecDD" }, { "name": "IoControlCode", "value": "0x00390400" }, { "name": "InputBuffer", "value": "M<+\\x1a\\x00\\x00\\x02\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00S\\x00H\\x00A\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00A\\x001\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xffS\\x00H\\x00A\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00 \\x00P\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00 \\x00P\\x00r\\x00o\\x00v\\x00i\\x00d\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x00c\\x00r\\x00y\\x00p\\x00t\\x00p\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1499 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee14e2199", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\bcryptprimitives.dll" }, { "name": "BaseAddress", "value": "0x7ffee1390000" } ], "repeated": 0, "id": 1500 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee14e2199", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee1390000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\bcryptprimitives.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1501 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffee14e1bc4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1390000" }, { "name": "FunctionName", "value": "GetHashInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee13a4460" } ], "repeated": 1, "id": 1502 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee14e6f25", "parentcaller": "0x7ffee14e4f88", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000178" }, { "name": "HandleName", "value": "\\Device\\KsecDD" }, { "name": "IoControlCode", "value": "0x00390400" }, { "name": "InputBuffer", "value": "M<+\\x1a\\x00\\x00\\x02\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00M\\x00D\\x005\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x005\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x98\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xffM\\x00D\\x005\\x00\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00 \\x00P\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00 \\x00P\\x00r\\x00o\\x00v\\x00i\\x00d\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x00c\\x00r\\x00y\\x00p\\x00t\\x00p\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1503 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffee14e1bc4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1390000" }, { "name": "FunctionName", "value": "GetHashInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee13a4460" } ], "repeated": 1, "id": 1504 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee14e6f25", "parentcaller": "0x7ffee14e4f88", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000178" }, { "name": "HandleName", "value": "\\Device\\KsecDD" }, { "name": "IoControlCode", "value": "0x00390400" }, { "name": "InputBuffer", "value": "M<+\\x1a\\x00\\x00\\x02\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00A\\x00E\\x00S\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00S\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xffA\\x00E\\x00S\\x00\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00 \\x00P\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00 \\x00P\\x00r\\x00o\\x00v\\x00i\\x00d\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x00\\x00\\x00\\x00\\x00\\x00\\x00K\\x00e\\x00y\\x00L\\x00e\\x00n\\x00g\\x00t\\x00h\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x00c\\x00r\\x00y\\x00p\\x00t\\x00p\\x00r\\x00i\\x00m\\x00i\\x00t\\x00" } ], "repeated": 0, "id": 1505 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05c8c000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1506 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffee14e1bc4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1390000" }, { "name": "FunctionName", "value": "GetCipherInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee13a9910" } ], "repeated": 0, "id": 1507 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffecb1a2af2", "parentcaller": "0x7ffee057220a", "category": "crypto", "api": "BCryptImportKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyBlob", "value": "0\\x02\\x00\\x00KSSM\\x02\\x00\\x01\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xb1\\xa3\nN_-\\xbe9-\\x0cb\\x1e~\\xc4z\\xce\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa3\nN_-\\xbe9-\\x0cb\\x1e~\\xc4z\\xce\\xacy\\x81\\xbd\\xf3T?\\x84\\xdeX]\\x9a\\xa0\\x9c'Tp\\xb5\\xa1]\\x83\\xe1\\x9e\\xd9]\\xb9\\xc3C\\xfd%\\xe4\\x17K\\xdcQ\t\\xc8=\\xcf\\xd0\\x95\\x84\\x0c\\x93h\\xa1\\xe8\\x84qG\\x0eL\\xb9z\\xc1\\x9c,\\xfe\\xcd\\x0fD_%\\x8b\\xaex3W\\x17\\x02\\xf2\\xcb;\\xfc?\\xc4\\x7f\\xa3\\x1aO\\x84\\xda\\xb7\\x85\\x93\\xd8EN\\xa8$z\\x8a\\xd7\\x87`\\xc5\\xd3\n\\x11\\x8b@\\xd2T\\xc5\\xe8\\xf6.O?qN\\x8a\\xf0%o\\xfe\\xb0\\xf7;;X\\x01\\x15tgp[\\xfe\\xba\\x1c\\xd4{\n\\xeb\\xef@R\\xea\\xfa45\\x9a\\xa1\\xca4.\\xa0\\xed>\\xc5O\\xadl/\\xb5\\x99Y\\xb5\\x14S\\x0fQs$bq\\x1bFDt\\x00F\\xa8\t\\xaf\\xca" }, { "name": "Flags", "value": "0x00000000" }, { "name": "CryptKey", "value": "0x05c8cb00" }, { "name": "Length", "value": "560" } ], "repeated": 0, "id": 1508 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffecb1a2af2", "parentcaller": "0x7ffee057220a", "category": "crypto", "api": "BCryptImportKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyBlob", "value": "0\\x02\\x00\\x00KSSM\\x02\\x00\\x01\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xe1\\xdc^\\xc8\\x91\\x14&\\x93i\\xf4\\x91\\xc3\\x1dL\\xe1v\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe1\\xdc^\\xc8\\x91\\x14&\\x93i\\xf4\\x91\\xc3\\x1dL\\xe1v\\xc9$flX0@\\xff1\\xc4\\xd1<,\\x880J\\x0f \\xb0\\x1dW\\x10\\xf0\\xe2f\\xd4!\\xdeJ\\\\x11\\x94A\\xa2\\x92\\xcb\\x16\\xb2b)pfC\\xf7::Rc\\xc9\\xa2iK\\xdf\\x10\\x0bb\\xafvH\\x95\\x95L\\x1a\\xf6\\xf0\\x00+a/\\x10 \\x03\\x80fh\\x96\\x15*r`5@\\xfb8\\x1aP\\xdb;\\x9a6\\xb3\\xad\\x8f\\x1c\\xc1\\xcd\\xe98FK\\xf3h\\x9dpi^.\\xdd\\xe6B\\xef\\x10E\\xe7\\x8c\\xc5\\xb6\\x8f\\x11\\xb5\\xdf\\xd1?h9\\x93\\xd0x\\x82\\x970\\xd74\\x18!b\\xeb\\xc9\\x1e\n\\xd2Z\\xcer\n\\x1cpb>\\x04Q\\x00\\xd5\\xcdO\n\\x07\\x97\\x81xu\\xfa8E\\x02\\xa3\\xc9\\x07\\xcb\\xc0Ro&FR\\x06" }, { "name": "Flags", "value": "0x00000000" }, { "name": "CryptKey", "value": "0x05c8d840" }, { "name": "Length", "value": "560" } ], "repeated": 0, "id": 1509 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfb33000" }, { "name": "ModuleName", "value": "schannel.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1510 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfb33000" }, { "name": "ModuleName", "value": "schannel.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1511 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee0bb1210", "parentcaller": "0x7ffee0bac99e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\MSASN1" }, { "name": "DllBase", "value": "0x7ffee0690000" } ], "repeated": 0, "id": 1512 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee0bb1210", "parentcaller": "0x7ffee0bac99e", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x82\\x03\\xa60\\x82\\x03L\\xa0\\x03\\x02\\x01\\x02\\x02\\x11\\x00\\xfc_eMG\\x92\\xa06\\x0eoE4\\xb9\\xf3\\x11\\xe70\n\\x06\\x08*\\x86H\\xce=\\x04\\x03\\x020;1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02US1\\x1e0\\x1c\\x06\\x03U\\x04\n\\x13\\x15Google Trust Services1\\x0c0\n\\x06\\x03U\\x04\\x03\\x13\\x03WE10\\x1e\\x17\r251119161223Z\\x17\r260217171220Z0\\x171\\x150\\x13\\x06\\x03U\\x04\\x03\\x13\\x0cpastebin.com0Y0\\x13\\x06\\x07*\\x86H\\xce=\\x02\\x01\\x06\\x08*\\x86H\\xce=\\x03\\x01\\x07\\x03B\\x00\\x04\t\\xd6\\xc7\\xed\\x85GCf\\x9b|p\\xd2\\x95\\xe4\\xfb\\x87\\xa8\\xb8\\xca\\x86E\\x1d5Qu7\\xdeA%\\xae\\x1cS\\x03\\x8b\\xa6\\xf7wT\\xfb\\xf9\\xa7Oh\\xe6,\\x8c l\\xcf\\x16\\xa2\\x1e)b\\xa8v%\\x88e\\xdbl\\x8c\\x80\\xe2\\xa3\\x82\\x02" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1513 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee0bb1210", "parentcaller": "0x7ffee0bac99e", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x82\\x02\\x9f0\\x82\\x02%\\xa0\\x03\\x02\\x01\\x02\\x02\\x10\\x7f\\xf3\\x19w\\x97,\"Jv\\x15]\\x13\\xb6\\xd6\\x85\\xe30\n\\x06\\x08*\\x86H\\xce=\\x04\\x03\\x030G1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02US1\"0 \\x06\\x03U\\x04\n\\x13\\x19Google Trust Services LLC1\\x140\\x12\\x06\\x03U\\x04\\x03\\x13\\x0bGTS Root R40\\x1e\\x17\r231213090000Z\\x17\r290220140000Z0;1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02US1\\x1e0\\x1c\\x06\\x03U\\x04\n\\x13\\x15Google Trust Services1\\x0c0\n\\x06\\x03U\\x04\\x03\\x13\\x03WE10Y0\\x13\\x06\\x07*\\x86H\\xce=\\x02\\x01\\x06\\x08*\\x86H\\xce=\\x03\\x01\\x07\\x03B\\x00\\x04o\\xcd:\\xfegWGL!\\x03\\x85@\\xc2G]\\xbbXG\\x0f@" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1514 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee0bb1210", "parentcaller": "0x7ffee0bac99e", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x82\\x03z0\\x82\\x02b\\xa0\\x03\\x02\\x01\\x02\\x02\\x10\\x7f\\xe50\\xbf3\\x13C\\xbe\\xdd\\x82\\x16\\x10I=\\x8a\\x1b0\r\\x06\t*\\x86H\\x86\\xf7\r\\x01\\x01\\x0b\\x05\\x000W1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02BE1\\x190\\x17\\x06\\x03U\\x04\n\\x13\\x10GlobalSign nv-sa1\\x100\\x0e\\x06\\x03U\\x04\\x0b\\x13\\x07Root CA1\\x1b0\\x19\\x06\\x03U\\x04\\x03\\x13\\x12GlobalSign Root CA0\\x1e\\x17\r231115034321Z\\x17\r280128000042Z0G1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02US1\"0 \\x06\\x03U\\x04\n\\x13\\x19Google Trust Services LLC1\\x140\\x12\\x06\\x03U\\x04\\x03\\x13\\x0bGTS Root R40v0\\x10\\x06\\x07*\\x86H\\xce=\\x02\\x01\\x06\\x05+" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1515 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee0bbe549", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID" }, { "name": "Handle", "value": "0x00000548" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID" } ], "repeated": 0, "id": 1516 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee0bbe5f4", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000548" }, { "name": "SubKey", "value": "EncodingType 0" }, { "name": "Handle", "value": "0x00000464" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0" } ], "repeated": 0, "id": 1517 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee0bbec4c", "parentcaller": "0x7ffee0bbe6a7", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000464" }, { "name": "SubKey", "value": "CryptDllFindOIDInfo" }, { "name": "Handle", "value": "0x000004b4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo" } ], "repeated": 0, "id": 1518 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1.3.6.1.4.1.311.10.3.37!7" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7" } ], "repeated": 0, "id": 1519 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee0bbe7b1", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004b4" }, { "name": "SubKey", "value": "1.3.6.1.4.1.311.10.3.37!7" }, { "name": "Handle", "value": "0x000004b8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7" } ], "repeated": 0, "id": 1520 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee0bbe9c3", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004b8" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "1" }, { "name": "MaxValueNameLength", "value": "4" }, { "name": "MaxValueLength", "value": "70" } ], "repeated": 0, "id": 1521 }, { "timestamp": "2025-11-19 20:41:29,791", "thread_id": "4092", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\ci.dll,-100" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7\\Name" } ], "repeated": 0, "id": 1522 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbf1d0", "parentcaller": "0x7ffee0bb34e9", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7" }, { "name": "Handle", "value": "0x000004bc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7" } ], "repeated": 0, "id": 1523 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\ci.dll,-100" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7\\Name" } ], "repeated": 0, "id": 1524 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1525 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1526 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1527 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1528 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1529 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000004c4" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1530 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1531 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ci.dll" } ], "repeated": 0, "id": 1532 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "@%SystemRoot%\\System32\\ci.dll,-100" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Isolated User Mode (IUM)" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-100" } ], "repeated": 0, "id": 1533 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1534 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\ci.dll,-100" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7\\Name" } ], "repeated": 0, "id": 1535 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1536 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1537 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1538 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1539 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1540 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x0000054c" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1541 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1542 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ci.dll" } ], "repeated": 0, "id": 1543 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "ValueName", "value": "@%SystemRoot%\\System32\\ci.dll,-100" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Isolated User Mode (IUM)" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-100" } ], "repeated": 0, "id": 1544 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1545 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0bbf2b2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" } ], "repeated": 0, "id": 1546 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbe88e", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" } ], "repeated": 0, "id": 1547 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "1.3.6.1.4.1.311.10.3.42!7" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7" } ], "repeated": 0, "id": 1548 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbe7b1", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004b4" }, { "name": "SubKey", "value": "1.3.6.1.4.1.311.10.3.42!7" }, { "name": "Handle", "value": "0x000004b8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7" } ], "repeated": 0, "id": 1549 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbe9c3", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004b8" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "1" }, { "name": "MaxValueNameLength", "value": "4" }, { "name": "MaxValueLength", "value": "70" } ], "repeated": 0, "id": 1550 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\ci.dll,-101" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7\\Name" } ], "repeated": 0, "id": 1551 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbf1d0", "parentcaller": "0x7ffee0bb34e9", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7" }, { "name": "Handle", "value": "0x000004bc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7" } ], "repeated": 0, "id": 1552 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\ci.dll,-101" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7\\Name" } ], "repeated": 0, "id": 1553 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1554 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1555 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1556 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1557 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1558 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000004c4" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1559 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1560 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ci.dll" } ], "repeated": 0, "id": 1561 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "@%SystemRoot%\\System32\\ci.dll,-101" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Enclave" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-101" } ], "repeated": 0, "id": 1562 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1563 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\ci.dll,-101" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7\\Name" } ], "repeated": 0, "id": 1564 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1565 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1566 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1567 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1568 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1569 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x0000054c" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1570 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1571 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ci.dll" } ], "repeated": 0, "id": 1572 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "ValueName", "value": "@%SystemRoot%\\System32\\ci.dll,-101" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Enclave" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-101" } ], "repeated": 0, "id": 1573 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1574 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0bbf2b2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" } ], "repeated": 0, "id": 1575 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbe88e", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" } ], "repeated": 0, "id": 1576 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "1.3.6.1.4.1.311.64.1.1!7" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7" } ], "repeated": 0, "id": 1577 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbe7b1", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004b4" }, { "name": "SubKey", "value": "1.3.6.1.4.1.311.64.1.1!7" }, { "name": "Handle", "value": "0x000004b8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7" } ], "repeated": 0, "id": 1578 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbe9c3", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004b8" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "1" }, { "name": "MaxValueNameLength", "value": "4" }, { "name": "MaxValueLength", "value": "78" } ], "repeated": 0, "id": 1579 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\dnsapi.dll,-103" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name" } ], "repeated": 0, "id": 1580 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbf1d0", "parentcaller": "0x7ffee0bb34e9", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7" }, { "name": "Handle", "value": "0x000004bc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7" } ], "repeated": 0, "id": 1581 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\dnsapi.dll,-103" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name" } ], "repeated": 0, "id": 1582 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1583 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1584 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1585 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1586 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1587 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000004c4" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1588 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1589 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\dnsapi.dll" } ], "repeated": 0, "id": 1590 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "@%SystemRoot%\\system32\\dnsapi.dll,-103" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "\\x414\\x43e\\x432\\x435\\x440\\x435\\x43d\\x43d\\x44b\\x439 DNS-\\x441\\x435\\x440\\x432\\x435\\x440" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\dnsapi.dll,-103" } ], "repeated": 0, "id": 1591 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1592 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\dnsapi.dll,-103" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name" } ], "repeated": 0, "id": 1593 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1594 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1595 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1596 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1597 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1598 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x0000054c" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1599 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1600 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\dnsapi.dll" } ], "repeated": 0, "id": 1601 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "ValueName", "value": "@%SystemRoot%\\system32\\dnsapi.dll,-103" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "\\x414\\x43e\\x432\\x435\\x440\\x435\\x43d\\x43d\\x44b\\x439 DNS-\\x441\\x435\\x440\\x432\\x435\\x440" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\dnsapi.dll,-103" } ], "repeated": 0, "id": 1602 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1603 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0bbf2b2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" } ], "repeated": 0, "id": 1604 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbe88e", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" } ], "repeated": 0, "id": 1605 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" }, { "name": "Index", "value": "3" }, { "name": "Name", "value": "1.3.6.1.4.1.311.76.6.1!7" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7" } ], "repeated": 0, "id": 1606 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbe7b1", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004b4" }, { "name": "SubKey", "value": "1.3.6.1.4.1.311.76.6.1!7" }, { "name": "Handle", "value": "0x000004b8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7" } ], "repeated": 0, "id": 1607 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbe9c3", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004b8" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "1" }, { "name": "MaxValueNameLength", "value": "4" }, { "name": "MaxValueLength", "value": "80" } ], "repeated": 0, "id": 1608 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\wuaueng.dll,-400" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7\\Name" } ], "repeated": 0, "id": 1609 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbf1d0", "parentcaller": "0x7ffee0bb34e9", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7" }, { "name": "Handle", "value": "0x000004bc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7" } ], "repeated": 0, "id": 1610 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\wuaueng.dll,-400" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7\\Name" } ], "repeated": 0, "id": 1611 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1612 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1613 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1614 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1615 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1616 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000004c4" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1617 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1618 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\wuaueng.dll" } ], "repeated": 0, "id": 1619 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "@%SystemRoot%\\System32\\wuaueng.dll,-400" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "\\x426\\x435\\x43d\\x442\\x440 \\x43e\\x431\\x43d\\x43e\\x432\\x43b\\x435\\x43d\\x438\\x44f Windows" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\wuaueng.dll,-400" } ], "repeated": 0, "id": 1620 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1621 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\wuaueng.dll,-400" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7\\Name" } ], "repeated": 0, "id": 1622 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1623 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1624 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1625 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1626 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1627 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x0000054c" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1628 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1629 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\wuaueng.dll" } ], "repeated": 0, "id": 1630 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "ValueName", "value": "@%SystemRoot%\\System32\\wuaueng.dll,-400" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "\\x426\\x435\\x43d\\x442\\x440 \\x43e\\x431\\x43d\\x43e\\x432\\x43b\\x435\\x43d\\x438\\x44f Windows" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\wuaueng.dll,-400" } ], "repeated": 0, "id": 1631 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1632 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0bbf2b2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" } ], "repeated": 0, "id": 1633 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbe88e", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" } ], "repeated": 0, "id": 1634 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" }, { "name": "Index", "value": "4" }, { "name": "Name", "value": "1.3.6.1.4.1.311.80.1!7" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7" } ], "repeated": 0, "id": 1635 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbe7b1", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004b4" }, { "name": "SubKey", "value": "1.3.6.1.4.1.311.80.1!7" }, { "name": "Handle", "value": "0x000004b8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7" } ], "repeated": 0, "id": 1636 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbe9c3", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004b8" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "1" }, { "name": "MaxValueNameLength", "value": "4" }, { "name": "MaxValueLength", "value": "132" } ], "repeated": 0, "id": 1637 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7\\Name" } ], "repeated": 0, "id": 1638 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee0bbf1d0", "parentcaller": "0x7ffee0bb34e9", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7" }, { "name": "Handle", "value": "0x000004bc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7" } ], "repeated": 0, "id": 1639 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7\\Name" } ], "repeated": 0, "id": 1640 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1641 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1642 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1643 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1644 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1645 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000004c4" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1646 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1647 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" } ], "repeated": 0, "id": 1648 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "\\x428\\x438\\x444\\x440\\x43e\\x432\\x430\\x43d\\x438\\x435 \\x434\\x43e\\x43a\\x443\\x43c\\x435\\x43d\\x442\\x43e\\x432" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" } ], "repeated": 0, "id": 1649 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1650 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7\\Name" } ], "repeated": 0, "id": 1651 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1652 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1653 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1654 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1655 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1656 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x0000054c" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1657 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1658 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" } ], "repeated": 0, "id": 1659 }, { "timestamp": "2025-11-19 20:41:29,807", "thread_id": "4092", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "ValueName", "value": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "\\x428\\x438\\x444\\x440\\x43e\\x432\\x430\\x43d\\x438\\x435 \\x434\\x43e\\x43a\\x443\\x43c\\x435\\x43d\\x442\\x43e\\x432" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" } ], "repeated": 0, "id": 1660 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1661 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0bbf2b2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" } ], "repeated": 0, "id": 1662 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe88e", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" } ], "repeated": 0, "id": 1663 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" }, { "name": "Index", "value": "5" }, { "name": "Name", "value": "1.3.6.1.4.1.311.92.1.1!7" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7" } ], "repeated": 0, "id": 1664 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe7b1", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004b4" }, { "name": "SubKey", "value": "1.3.6.1.4.1.311.92.1.1!7" }, { "name": "Handle", "value": "0x000004b8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7" } ], "repeated": 0, "id": 1665 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe9c3", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004b8" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "1" }, { "name": "MaxValueNameLength", "value": "4" }, { "name": "MaxValueLength", "value": "88" } ], "repeated": 0, "id": 1666 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\NgcRecovery.dll,-100" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7\\Name" } ], "repeated": 0, "id": 1667 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbf1d0", "parentcaller": "0x7ffee0bb34e9", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7" }, { "name": "Handle", "value": "0x000004bc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7" } ], "repeated": 0, "id": 1668 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\NgcRecovery.dll,-100" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7\\Name" } ], "repeated": 0, "id": 1669 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1670 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1671 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1672 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1673 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1674 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000004c4" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1675 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1676 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\NgcRecovery.dll" } ], "repeated": 0, "id": 1677 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "@%SystemRoot%\\system32\\NgcRecovery.dll,-100" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "\\x428\\x438\\x444\\x440\\x43e\\x432\\x430\\x43d\\x438\\x435 \\x43a\\x43b\\x44e\\x447\\x430 \\x432\\x43e\\x441\\x441\\x442\\x430\\x43d\\x43e\\x432\\x43b\\x435\\x43d\\x438\\x44f Windows Hello" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\NgcRecovery.dll,-100" } ], "repeated": 0, "id": 1678 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1679 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\NgcRecovery.dll,-100" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7\\Name" } ], "repeated": 0, "id": 1680 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1681 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1682 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1683 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xc8\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1684 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1685 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x0000054c" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1686 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1687 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\NgcRecovery.dll" } ], "repeated": 0, "id": 1688 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004c4" }, { "name": "ValueName", "value": "@%SystemRoot%\\system32\\NgcRecovery.dll,-100" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "\\x428\\x438\\x444\\x440\\x43e\\x432\\x430\\x43d\\x438\\x435 \\x43a\\x43b\\x44e\\x447\\x430 \\x432\\x43e\\x441\\x441\\x442\\x430\\x43d\\x43e\\x432\\x43b\\x435\\x43d\\x438\\x44f Windows Hello" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\NgcRecovery.dll,-100" } ], "repeated": 0, "id": 1689 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 1690 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0bbf2b2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" } ], "repeated": 0, "id": 1691 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe88e", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" } ], "repeated": 0, "id": 1692 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegEnumKeyExA", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x000004b4" }, { "name": "Index", "value": "6" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\" } ], "repeated": 0, "id": 1693 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe8a4", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" } ], "repeated": 0, "id": 1694 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe6c9", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000464" } ], "repeated": 0, "id": 1695 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe6e2", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" } ], "repeated": 0, "id": 1696 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bb2b05", "parentcaller": "0x7ffee0bb2644", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SYSTEM\\CurrentControlSet\\Control\\Cryptography\\ECCParameters" }, { "name": "Handle", "value": "0x00000548" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Cryptography\\ECCParameters" } ], "repeated": 0, "id": 1697 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bb2b3c", "parentcaller": "0x7ffee0bb2644", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000548" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Cryptography\\ECCParameters\\" } ], "repeated": 0, "id": 1698 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0bb2b53", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" } ], "repeated": 0, "id": 1699 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05c8f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1700 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05c90000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1701 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05c92000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1702 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee34a84c4", "parentcaller": "0x7ffee34bd136", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 1703 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee34bbb2a", "parentcaller": "0x7ffee34bb99e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000548" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\CRYPT32.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1704 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee34bbb82", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000464" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000548" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\crypt32.dll.mui" } ], "repeated": 0, "id": 1705 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee34bbbcc", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000464" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05440000" }, { "name": "SectionOffset", "value": "0x06c8dd90" }, { "name": "ViewSize", "value": "0x0000c000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1706 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee34bbbdc", "parentcaller": "0x7ffee34bb99e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000464" } ], "repeated": 0, "id": 1707 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05c95000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1708 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0ce9000" }, { "name": "ModuleName", "value": "CRYPT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1709 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0ce9000" }, { "name": "ModuleName", "value": "CRYPT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1710 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee14e6f25", "parentcaller": "0x7ffee14e4f88", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000178" }, { "name": "HandleName", "value": "\\Device\\KsecDD" }, { "name": "IoControlCode", "value": "0x00390400" }, { "name": "InputBuffer", "value": "M<+\\x1a\\x00\\x00\\x02\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00S\\x00H\\x00A\\x002\\x005\\x006\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00A\\x002\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xffS\\x00H\\x00A\\x002\\x005\\x006\\x00\\x00\\x00\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00 \\x00P\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00 \\x00P\\x00r\\x00o\\x00v\\x00i\\x00d\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x00c\\x00r\\x00y\\x00p\\x00t\\x00p\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1711 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffee14e1bc4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1390000" }, { "name": "FunctionName", "value": "GetHashInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee13a4460" } ], "repeated": 0, "id": 1712 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bb1210", "parentcaller": "0x7ffee0bac99e", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x82\\x03\\xa60\\x82\\x03L\\xa0\\x03\\x02\\x01\\x02\\x02\\x11\\x00\\xfc_eMG\\x92\\xa06\\x0eoE4\\xb9\\xf3\\x11\\xe70\n\\x06\\x08*\\x86H\\xce=\\x04\\x03\\x020;1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02US1\\x1e0\\x1c\\x06\\x03U\\x04\n\\x13\\x15Google Trust Services1\\x0c0\n\\x06\\x03U\\x04\\x03\\x13\\x03WE10\\x1e\\x17\r251119161223Z\\x17\r260217171220Z0\\x171\\x150\\x13\\x06\\x03U\\x04\\x03\\x13\\x0cpastebin.com0Y0\\x13\\x06\\x07*\\x86H\\xce=\\x02\\x01\\x06\\x08*\\x86H\\xce=\\x03\\x01\\x07\\x03B\\x00\\x04\t\\xd6\\xc7\\xed\\x85GCf\\x9b|p\\xd2\\x95\\xe4\\xfb\\x87\\xa8\\xb8\\xca\\x86E\\x1d5Qu7\\xdeA%\\xae\\x1cS\\x03\\x8b\\xa6\\xf7wT\\xfb\\xf9\\xa7Oh\\xe6,\\x8c l\\xcf\\x16\\xa2\\x1e)b\\xa8v%\\x88e\\xdbl\\x8c\\x80\\xe2\\xa3\\x82\\x02" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1713 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bb1210", "parentcaller": "0x7ffee0bac99e", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x82\\x02\\x9f0\\x82\\x02%\\xa0\\x03\\x02\\x01\\x02\\x02\\x10\\x7f\\xf3\\x19w\\x97,\"Jv\\x15]\\x13\\xb6\\xd6\\x85\\xe30\n\\x06\\x08*\\x86H\\xce=\\x04\\x03\\x030G1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02US1\"0 \\x06\\x03U\\x04\n\\x13\\x19Google Trust Services LLC1\\x140\\x12\\x06\\x03U\\x04\\x03\\x13\\x0bGTS Root R40\\x1e\\x17\r231213090000Z\\x17\r290220140000Z0;1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02US1\\x1e0\\x1c\\x06\\x03U\\x04\n\\x13\\x15Google Trust Services1\\x0c0\n\\x06\\x03U\\x04\\x03\\x13\\x03WE10Y0\\x13\\x06\\x07*\\x86H\\xce=\\x02\\x01\\x06\\x08*\\x86H\\xce=\\x03\\x01\\x07\\x03B\\x00\\x04o\\xcd:\\xfegWGL!\\x03\\x85@\\xc2G]\\xbbXG\\x0f@" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1714 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bb1210", "parentcaller": "0x7ffee0bac99e", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x82\\x03z0\\x82\\x02b\\xa0\\x03\\x02\\x01\\x02\\x02\\x10\\x7f\\xe50\\xbf3\\x13C\\xbe\\xdd\\x82\\x16\\x10I=\\x8a\\x1b0\r\\x06\t*\\x86H\\x86\\xf7\r\\x01\\x01\\x0b\\x05\\x000W1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02BE1\\x190\\x17\\x06\\x03U\\x04\n\\x13\\x10GlobalSign nv-sa1\\x100\\x0e\\x06\\x03U\\x04\\x0b\\x13\\x07Root CA1\\x1b0\\x19\\x06\\x03U\\x04\\x03\\x13\\x12GlobalSign Root CA0\\x1e\\x17\r231115034321Z\\x17\r280128000042Z0G1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02US1\"0 \\x06\\x03U\\x04\n\\x13\\x19Google Trust Services LLC1\\x140\\x12\\x06\\x03U\\x04\\x03\\x13\\x0bGTS Root R40v0\\x10\\x06\\x07*\\x86H\\xce=\\x02\\x01\\x06\\x05+" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1715 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffec7816000" }, { "name": "ModuleName", "value": "webio.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1716 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffec7816000" }, { "name": "ModuleName", "value": "webio.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1717 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bca81a", "parentcaller": "0x7ffee0bca5cf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SYSTEM\\CurrentControlSet\\Services\\crypt32" }, { "name": "Handle", "value": "0x000004b4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32" } ], "repeated": 0, "id": 1718 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bca86c", "parentcaller": "0x7ffee0bca5cf", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004b4" }, { "name": "ValueName", "value": "DiagLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagLevel" } ], "repeated": 0, "id": 1719 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bca8bf", "parentcaller": "0x7ffee0bca5cf", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004b4" }, { "name": "ValueName", "value": "DiagMatchAnyMask" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagMatchAnyMask" } ], "repeated": 0, "id": 1720 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bca8f8", "parentcaller": "0x7ffee0bca5cf", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" } ], "repeated": 0, "id": 1721 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bca600", "parentcaller": "0x7ffee0bba48e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SYSTEM\\CurrentControlSet\\Services\\crypt32" }, { "name": "Handle", "value": "0x000004b4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32" } ], "repeated": 0, "id": 1722 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bca65d", "parentcaller": "0x7ffee0bba48e", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\" }, { "name": "NotifyFilter", "value": "0x10000004" }, { "name": "WatchSubtree", "value": "0" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 1723 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05c97000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1724 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0ce9000" }, { "name": "ModuleName", "value": "CRYPT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1725 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0ce9000" }, { "name": "ModuleName", "value": "CRYPT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1726 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee34e74ae", "parentcaller": "0x7ffee110dddb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1727 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee34e74b7", "parentcaller": "0x7ffee110dddb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1728 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10c54eb", "parentcaller": "0x7ffee0baa075", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1729 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee0baa0a1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1730 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0b9c6e9", "parentcaller": "0x7ffee0b9c63d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config" } ], "repeated": 0, "id": 1731 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0b9c682", "parentcaller": "0x7ffee0b9c60e", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "DisableSerialChain" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableSerialChain" } ], "repeated": 0, "id": 1732 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0b9c699", "parentcaller": "0x7ffee0b9c60e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1733 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0ba21cf", "parentcaller": "0x7ffee0ba4357", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 1734 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0b9c6e9", "parentcaller": "0x7ffee0ba1baa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config" } ], "repeated": 0, "id": 1735 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0b9fead", "parentcaller": "0x7ffee0b9ded9", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "CryptnetPreFetchTriggerPeriodSeconds" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds" } ], "repeated": 0, "id": 1736 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0b9fead", "parentcaller": "0x7ffee0b9def9", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "MaxUrlRetrievalByteCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount" } ], "repeated": 0, "id": 1737 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0ba176e", "parentcaller": "0x7ffee0ba16fe", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" } ], "repeated": 0, "id": 1738 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0b9e023", "parentcaller": "0x7ffee0b9e0d9", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "DisallowedCertSyncDeltaTime" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\DisallowedCertSyncDeltaTime" } ], "repeated": 0, "id": 1739 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0ba16b2", "parentcaller": "0x7ffee0b9e125", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1740 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe549", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID" } ], "repeated": 0, "id": 1741 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe5c6", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "EncodingType 0" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0" } ], "repeated": 0, "id": 1742 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe5f4", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "EncodingType 0" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0" } ], "repeated": 0, "id": 1743 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbec4c", "parentcaller": "0x7ffee0bbe6a7", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "CertDllOpenStoreProv" }, { "name": "Handle", "value": "0x0000056c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv" } ], "repeated": 0, "id": 1744 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000056c" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "#16" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\#16" } ], "repeated": 0, "id": 1745 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe7b1", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000056c" }, { "name": "SubKey", "value": "#16" }, { "name": "Handle", "value": "0x00000570" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\#16" } ], "repeated": 0, "id": 1746 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe9c3", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000570" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "2" }, { "name": "MaxValueNameLength", "value": "8" }, { "name": "MaxValueLength", "value": "66" } ], "repeated": 0, "id": 1747 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000570" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Dll" }, { "name": "Data", "value": "C:\\Windows\\System32\\cryptnet.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\#16\\Dll" } ], "repeated": 0, "id": 1748 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000570" }, { "name": "Index", "value": "1" }, { "name": "ValueName", "value": "FuncName" }, { "name": "Data", "value": "LdapProvOpenStore" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\#16\\FuncName" } ], "repeated": 0, "id": 1749 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05c99000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1750 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe88e", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000570" } ], "repeated": 0, "id": 1751 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000056c" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "Ldap" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\Ldap" } ], "repeated": 0, "id": 1752 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe7b1", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000056c" }, { "name": "SubKey", "value": "Ldap" }, { "name": "Handle", "value": "0x00000570" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\Ldap" } ], "repeated": 0, "id": 1753 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe9c3", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000570" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "2" }, { "name": "MaxValueNameLength", "value": "8" }, { "name": "MaxValueLength", "value": "66" } ], "repeated": 0, "id": 1754 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000570" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Dll" }, { "name": "Data", "value": "C:\\Windows\\System32\\cryptnet.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\Ldap\\Dll" } ], "repeated": 0, "id": 1755 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000570" }, { "name": "Index", "value": "1" }, { "name": "ValueName", "value": "FuncName" }, { "name": "Data", "value": "LdapProvOpenStore" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\Ldap\\FuncName" } ], "repeated": 0, "id": 1756 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe88e", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000570" } ], "repeated": 0, "id": 1757 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x0000056c" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\" } ], "repeated": 0, "id": 1758 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe8a4", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000056c" } ], "repeated": 0, "id": 1759 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe6c9", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1760 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe5c6", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "EncodingType 1" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1" } ], "repeated": 0, "id": 1761 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe5f4", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "EncodingType 1" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1" } ], "repeated": 0, "id": 1762 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbec4c", "parentcaller": "0x7ffee0bbe6a7", "category": "registry", "api": "RegOpenKeyExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "CertDllOpenStoreProv" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllOpenStoreProv" } ], "repeated": 0, "id": 1763 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe6c9", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1764 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe5c6", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\" } ], "repeated": 0, "id": 1765 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bbe6e2", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1766 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bba4dc", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\Root\\PhysicalStores" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\Root\\PhysicalStores" } ], "repeated": 0, "id": 1767 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba4dc", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\Root" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\Root" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1768 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bb703e", "parentcaller": "0x7ffee0bba69a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1769 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bc1c01", "parentcaller": "0x7ffee0bb77b9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots" } ], "repeated": 0, "id": 1770 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bd5a88", "parentcaller": "0x7ffee0bb77d4", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "103" } ], "repeated": 1, "id": 1771 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba9de", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\Root" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\Root" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1772 }, { "timestamp": "2025-11-19 20:41:29,823", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bb5d0c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\" } ], "repeated": 0, "id": 1773 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbab7c", "parentcaller": "0x7ffee0bb7e1f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1774 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba9de", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\AuthRoot" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1775 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bb5d0c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "" }, { "name": "Handle", "value": "0x0000056c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\" } ], "repeated": 0, "id": 1776 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbab7c", "parentcaller": "0x7ffee0bb7e1f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1777 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bba4dc", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\EnterpriseCertificates\\Root\\PhysicalStores" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\Root\\PhysicalStores" } ], "repeated": 0, "id": 1778 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba4dc", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\EnterpriseCertificates\\Root" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\Root" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1779 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bb703e", "parentcaller": "0x7ffee0bba69a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1780 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba9de", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\EnterpriseCertificates\\Root" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\Root" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1781 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bb5d0c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "" }, { "name": "Handle", "value": "0x00000570" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\" } ], "repeated": 0, "id": 1782 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbab7c", "parentcaller": "0x7ffee0bb7e1f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1783 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05c9c000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1784 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba9de", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\SmartCardRoot" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\SmartCardRoot" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1785 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbab7c", "parentcaller": "0x7ffee0bb7e1f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1786 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bba9de", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\SmartCardRoot" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\SmartCardRoot" } ], "repeated": 0, "id": 1787 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbab7c", "parentcaller": "0x7ffee0bb7e1f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1788 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bba4dc", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\CA\\PhysicalStores" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\CA\\PhysicalStores" } ], "repeated": 0, "id": 1789 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba4dc", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\CA" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\CA" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1790 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bb703e", "parentcaller": "0x7ffee0bba69a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1791 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba9de", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\CA" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\CA" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1792 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bb5d0c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "" }, { "name": "Handle", "value": "0x00000574" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\" } ], "repeated": 0, "id": 1793 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbab7c", "parentcaller": "0x7ffee0bb7e1f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1794 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bba4dc", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\EnterpriseCertificates\\CA\\PhysicalStores" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\CA\\PhysicalStores" } ], "repeated": 0, "id": 1795 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba4dc", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\EnterpriseCertificates\\CA" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\CA" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1796 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bb703e", "parentcaller": "0x7ffee0bba69a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1797 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba9de", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\EnterpriseCertificates\\CA" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\CA" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1798 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bb5d0c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "" }, { "name": "Handle", "value": "0x00000578" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\" } ], "repeated": 0, "id": 1799 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbab7c", "parentcaller": "0x7ffee0bb7e1f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1800 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9fead", "parentcaller": "0x7ffee0b9ed36", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "AutoFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlags" } ], "repeated": 0, "id": 1801 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05c9e000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1802 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9f774", "parentcaller": "0x7ffee0b9de30", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "DisableAutoFlushProcessNameList" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableAutoFlushProcessNameList" } ], "repeated": 0, "id": 1803 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9fead", "parentcaller": "0x7ffee0b9ed92", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "AutoFlushFirstDeltaSeconds" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlushFirstDeltaSeconds" } ], "repeated": 0, "id": 1804 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9fead", "parentcaller": "0x7ffee0b9edbe", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "AutoFlushNextDeltaSeconds" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlushNextDeltaSeconds" } ], "repeated": 0, "id": 1805 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0ba1c01", "parentcaller": "0x7ffee0ba2286", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1806 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates" } ], "repeated": 0, "id": 1807 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1808 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1809 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1810 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000056c" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates" } ], "repeated": 0, "id": 1811 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1812 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1813 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1814 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0b9e956", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\SystemCertificates\\Root" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1815 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates" } ], "repeated": 0, "id": 1816 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1817 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1818 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1819 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0b9e9e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1820 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000570" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates" } ], "repeated": 0, "id": 1821 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1822 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1823 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1824 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000574" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates" } ], "repeated": 0, "id": 1825 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1826 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1827 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1828 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0b9e956", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\SystemCertificates\\CA" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\CA" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1829 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates" } ], "repeated": 0, "id": 1830 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1831 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1832 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1833 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0b9e9e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1834 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000578" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates" } ], "repeated": 0, "id": 1835 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1836 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1837 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1838 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates" } ], "repeated": 0, "id": 1839 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1840 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1841 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1842 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000056c" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates" } ], "repeated": 0, "id": 1843 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1844 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1845 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1846 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0b9e956", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\SystemCertificates\\Root" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1847 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates" } ], "repeated": 0, "id": 1848 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1849 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1850 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1851 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0b9e9e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1852 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000570" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates" } ], "repeated": 0, "id": 1853 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1854 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1855 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1856 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000574" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates" } ], "repeated": 0, "id": 1857 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1858 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1859 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1860 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0b9e956", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\SystemCertificates\\CA" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\CA" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1861 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates" } ], "repeated": 0, "id": 1862 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1863 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1864 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1865 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0b9e9e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1866 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000578" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates" } ], "repeated": 0, "id": 1867 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1868 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1869 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1870 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates" } ], "repeated": 0, "id": 1871 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "B1BC968BD4F49D622AA89A81F2150152A41D829C" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C" } ], "repeated": 0, "id": 1872 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "B1BC968BD4F49D622AA89A81F2150152A41D829C" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C" } ], "repeated": 0, "id": 1873 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1874 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000056c" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates" } ], "repeated": 0, "id": 1875 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "B1BC968BD4F49D622AA89A81F2150152A41D829C" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C" } ], "repeated": 0, "id": 1876 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "B1BC968BD4F49D622AA89A81F2150152A41D829C" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C" } ], "repeated": 0, "id": 1877 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ee82", "parentcaller": "0x7ffee0b9ec18", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "Blob" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C\\Blob" } ], "repeated": 0, "id": 1878 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9eee5", "parentcaller": "0x7ffee0b9ec18", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "Blob" }, { "name": "Data", "value": "\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\xb1\\xbc\\x96\\x8b\\xd4\\xf4\\x9db*\\xa8\\x9a\\x81\\xf2\\x15\\x01R\\xa4\\x1d\\x82\\x9c~\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x04+\\xebw\\xd5\\x01z\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x000\n\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\t\\x7f\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x000\n\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\t\\x1d\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00n\\xe7\\xf3\\xb0`\\xd1\\x0e\\x90\\xa3\\x1b\\xa3G\\x1b\\x99\\x926\\x14\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x14\\x00\\x00\\x00`{f\\x1aE\r\\x97\\xca\\x89P/}\\x04\\xcd4\\xa8\\xff\\xfc\\xfdKb\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\xeb\\xd4\\x10@\\xe4\\xbb>\\xc7B\\xc9\\xe3\\x81\\xd3\\x1e\\xf2\\xa4\\x1aH\\xb6h\\\\x96\\xe7\\xce\\xf3\\xc1\\xdfl\\xd43\\x1c\\x99\\x0b\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\x00\\x00\\x00G\\x00l\\x00o\\x00b\\x00a\\x00l\\x00S\\x00i\\x00g\\x00n\\x00 \\x00R\\x00o\\x00o\\x00t\\x00 \\x00C\\x00A\\x00 \\x00-\\x00 \\x00R\\x001\\x00\\x00\\x00S\\x00\\x00\\x00\\x01\\x00\\x00\\x00@\\x00\\x00\\x000>0\\x1f\\x06\t+\\x06\\x01\\x04\\x01\\xa02\\x01\\x010\\x120\\x10\\x06\n+\\x06\\x01\\x04\\x01\\x827<\\x01\\x01\\x03\\x02\\x00\\xc00\\x1b\\x06\\x05g\\x81\\x0c\\x01\\x030\\x120\\x10\\x06\n+\\x06\\x01\\x04\\x01\\x827<\\x01\\x01\\x03\\x02\\x00\\xc0\t\\x00\\x00\\x00\\x01\\x00\\x00\\x00h\\x00\\x00\\x000f\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x02\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x03\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03\\x04\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x04\\x06\\x08+\\x06\\x01\\x05\\x05\\x08\\x02\\x02\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x06\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x07\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\t\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x01\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x08 \\x00\\x00\\x00\\x01\\x00\\x00\\x00y\\x03\\x00\\x000\\x82\\x03u0\\x82\\x02]\\xa0\\x03\\x02\\x01\\x02\\x02\\x0b\\x04\\x00\\x00\\x00\\x00\\x01\\x15KZ\\xc3\\x940\r\\x06\t*\\x86H\\x86\\xf7\r\\x01\\x01\\x05\\x05\\x000W1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C\\Blob" } ], "repeated": 0, "id": 1879 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ec4f", "parentcaller": "0x7ffee0b9eb0a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1880 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1881 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bb1210", "parentcaller": "0x7ffee0bad8a2", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x82\\x03u0\\x82\\x02]\\xa0\\x03\\x02\\x01\\x02\\x02\\x0b\\x04\\x00\\x00\\x00\\x00\\x01\\x15KZ\\xc3\\x940\r\\x06\t*\\x86H\\x86\\xf7\r\\x01\\x01\\x05\\x05\\x000W1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02BE1\\x190\\x17\\x06\\x03U\\x04\n\\x13\\x10GlobalSign nv-sa1\\x100\\x0e\\x06\\x03U\\x04\\x0b\\x13\\x07Root CA1\\x1b0\\x19\\x06\\x03U\\x04\\x03\\x13\\x12GlobalSign Root CA0\\x1e\\x17\r980901120000Z\\x17\r280128120000Z0W1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02BE1\\x190\\x17\\x06\\x03U\\x04\n\\x13\\x10GlobalSign nv-sa1\\x100\\x0e\\x06\\x03U\\x04\\x0b\\x13\\x07Root CA1\\x1b0\\x19\\x06\\x03U\\x04\\x03\\x13\\x12GlobalSign Root CA0\\x82\\x01\"0" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1882 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbe549", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID" } ], "repeated": 0, "id": 1883 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbe5c6", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "EncodingType 0" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0" } ], "repeated": 0, "id": 1884 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbe5f4", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "EncodingType 0" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0" } ], "repeated": 0, "id": 1885 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbec4c", "parentcaller": "0x7ffee0bbe6a7", "category": "registry", "api": "RegOpenKeyExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "CertDllVerifyCertificateChainPolicy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllVerifyCertificateChainPolicy" } ], "repeated": 0, "id": 1886 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbe6c9", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1887 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbe5c6", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "EncodingType 1" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1" } ], "repeated": 0, "id": 1888 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbe5f4", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000560" }, { "name": "SubKey", "value": "EncodingType 1" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1" } ], "repeated": 0, "id": 1889 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbec4c", "parentcaller": "0x7ffee0bbe6a7", "category": "registry", "api": "RegOpenKeyExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "CertDllVerifyCertificateChainPolicy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllVerifyCertificateChainPolicy" } ], "repeated": 0, "id": 1890 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbe6c9", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1891 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbe5c6", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\" } ], "repeated": 0, "id": 1892 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbe6e2", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000560" } ], "repeated": 0, "id": 1893 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc52c4", "parentcaller": "0x7ffee0bc4daf", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x1e\\x82\\x0cpastebin.com\\x82\\x0e*.pastebin.com" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1894 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bca292", "parentcaller": "0x7ffee34b38c0", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config" }, { "name": "Handle", "value": "0x00000560" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config" } ], "repeated": 0, "id": 1895 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bca30d", "parentcaller": "0x7ffee34b38c0", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\" }, { "name": "NotifyFilter", "value": "0x10000004" }, { "name": "WatchSubtree", "value": "0" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 1896 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc822d", "parentcaller": "0x7ffee0bca256", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot" } ], "repeated": 0, "id": 1897 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc1c01", "parentcaller": "0x7ffee0bc4d45", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots" } ], "repeated": 0, "id": 1898 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc594e", "parentcaller": "0x7ffee0bca263", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot" } ], "repeated": 0, "id": 1899 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bca292", "parentcaller": "0x7ffee34b38c0", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" }, { "name": "Handle", "value": "0x00000580" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" } ], "repeated": 0, "id": 1900 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bca30d", "parentcaller": "0x7ffee34b38c0", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\" }, { "name": "NotifyFilter", "value": "0x10000004" }, { "name": "WatchSubtree", "value": "0" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 1901 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9f774", "parentcaller": "0x7ffee0bca17b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "PinRulesLogDir" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\PinRulesLogDir" } ], "repeated": 0, "id": 1902 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0b9ee82", "parentcaller": "0x7ffee0bca1c5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000560" }, { "name": "ValueName", "value": "PinRules" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\PinRules" } ], "repeated": 0, "id": 1903 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0ba176e", "parentcaller": "0x7ffee0ba16fe", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" }, { "name": "Handle", "value": "0x0000058c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" } ], "repeated": 0, "id": 1904 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0ba15e1", "parentcaller": "0x7ffee0ba1531", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "PinRulesLastSyncTime" }, { "name": "Data", "value": "\\xaf\\xa4!\\x93\\xa7Y\\xdc\\x01" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesLastSyncTime" } ], "repeated": 0, "id": 1905 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0ba1608", "parentcaller": "0x7ffee0ba1531", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1906 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0ba16b2", "parentcaller": "0x7ffee0ba1645", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058c" } ], "repeated": 0, "id": 1907 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0ba176e", "parentcaller": "0x7ffee0ba16fe", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" }, { "name": "Handle", "value": "0x0000058c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" } ], "repeated": 0, "id": 1908 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0ba0a53", "parentcaller": "0x7ffee0ba0bb3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "PinRulesEncodedCtl" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesEncodedCtl" } ], "repeated": 0, "id": 1909 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05ca1000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1910 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0ba0abb", "parentcaller": "0x7ffee0ba0bb3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "PinRulesEncodedCtl" }, { "name": "Data", "value": "0\\x82E\\x94\\x06\t*\\x86H\\x86\\xf7\r\\x01\\x07\\x02\\xa0\\x82E\\x850\\x82E\\x81\\x02\\x01\\x011\\x0b0\t\\x06\\x05+\\x0e\\x03\\x02\\x1a\\x05\\x000\\x82'\\xee\\x06\t+\\x06\\x01\\x04\\x01\\x827\n\\x01\\xa0\\x82'\\xdf0\\x82'\\xdb0\\x0c\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03 \\x04,P\\x00i\\x00n\\x00R\\x00u\\x00l\\x00e\\x00s\\x00_\\x00A\\x00u\\x00t\\x00o\\x00U\\x00p\\x00d\\x00a\\x00t\\x00e\\x00_\\x001\\x00\\x00\\x00\\x02\\x08\\x01\\xd2\\xdae\\xad\\xdb@7\\x17\r170531232859Z\\x17\r180601232859Z0\\x0e\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03\"\\x05\\x000\\x82\\x1f\\xa30)\\x04\\x12.files-df.1drv.com1\\x130\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000&\\x04\\x0f.files.1drv.com1\\x130\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x0004\\x04\n.aadrm.com1&0\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x031\\x03\\x02\\x01\\x0101\\x04\\x07.afx.ms1&0\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x031\\x03\\x02\\x01\\x0105\\x04\\x0b.akadns.net1&0\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x031\\x03\\x02\\x01\\x010%\\x04\\x0e.aspnetcdn.com1\\x130\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x0008\\x04\\x0e.azure-int.net1&0\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000\\x11\\x06\n+\\x06\\x01\\x04\\x01" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesEncodedCtl" } ], "repeated": 0, "id": 1911 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bbdf92", "parentcaller": "0x7ffee0b9e3a5", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x800\\x0c\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03 \\x04,P\\x00i\\x00n\\x00R\\x00u\\x00l\\x00e\\x00s\\x00_\\x00A\\x00u\\x00t\\x00o\\x00U\\x00p\\x00d\\x00a\\x00t\\x00e\\x00_\\x001\\x00\\x00\\x00\\x02\\x08\\x01\\xd2\\xdae\\xad\\xdb@7\\x17\r170531232859Z\\x17\r180601232859Z0\\x0e\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03\"\\x05\\x00\\x00\\x00" }, { "name": "Flags", "value": "0x00008004" } ], "repeated": 0, "id": 1912 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bb0cd0", "parentcaller": "0x7ffee0bbe122", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x82\\x07\\xb80\\x82\\x07\\x95\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03!\\x01\\x01\\xff\\x04\\x82\\x07\\x820\\x82\\x07~0\\x82\\x03\\x1a\\x02\\x01\\x00\\x02\\x01\\x010\\x82\\x03\\x1006\\x04\\x10\\x0f:\\x05'\\xd2B\\xde-\\xc9\\x8e\\\\xfc\\xb1\\xe9\\x91\\xee\\x04 \\x94\\xa7T\\xd4F\\xd0\\xb9\\xbcr\\x0c9\\xb6\\xabs|)\\xc9Y\\xd8/x6\\xe9\\xb7\\xc5x\\xc6\\xd2\\x99>\\xdd\\xe2\\x05\\x0006\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x0006\\x04\\x10\\x91\\x16\\x1b\\x89K\\x11~\\xcd\\xc2Wb\\x8d\\xb4`\\xcc\\x04\\x04 \\xd4\\xc6z\\xd5\\x0e\\x19;\\x9du\\xa2!\\xd2`3\t\\x17\\x15t\\xaex,f\\xdb\\xa6D\\xa6\\x8a\\xffu\\xc0\\x7fP\\x05\\x0006\\x04\\x10\\x91\\xfa\\xd4\\x83\\xf1HH\\xa8\\xa6\\x9b\\x18\\xb8\\x05\\xcd\\xbb:\\x04 \\x064\\x8c\\xa9\r\\x7f\\xe0\\xf9\\x0cv\\xab\\x9d\\xe8\"\\xab\\xf5{\\x9a\\xb4B*" }, { "name": "Flags", "value": "0x00008004" } ], "repeated": 0, "id": 1913 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0ba16b2", "parentcaller": "0x7ffee0ba0c01", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058c" } ], "repeated": 0, "id": 1914 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7c0a", "parentcaller": "0x7ffee0bca060", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x82\\x07~0\\x82\\x03\\x1a\\x02\\x01\\x00\\x02\\x01\\x010\\x82\\x03\\x1006\\x04\\x10\\x0f:\\x05'\\xd2B\\xde-\\xc9\\x8e\\\\xfc\\xb1\\xe9\\x91\\xee\\x04 \\x94\\xa7T\\xd4F\\xd0\\xb9\\xbcr\\x0c9\\xb6\\xabs|)\\xc9Y\\xd8/x6\\xe9\\xb7\\xc5x\\xc6\\xd2\\x99>\\xdd\\xe2\\x05\\x0006\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x0006\\x04\\x10\\x91\\x16\\x1b\\x89K\\x11~\\xcd\\xc2Wb\\x8d\\xb4`\\xcc\\x04\\x04 \\xd4\\xc6z\\xd5\\x0e\\x19;\\x9du\\xa2!\\xd2`3\t\\x17\\x15t\\xaex,f\\xdb\\xa6D\\xa6\\x8a\\xffu\\xc0\\x7fP\\x05\\x0006\\x04\\x10\\x91\\xfa\\xd4\\x83\\xf1HH\\xa8\\xa6\\x9b\\x18\\xb8\\x05\\xcd\\xbb:\\x04 \\x064\\x8c\\xa9\r\\x7f\\xe0\\xf9\\x0cv\\xab\\x9d\\xe8\"\\xab\\xf5{\\x9a\\xb4B*\\xb4\\xf8>\\x9b\\x86\\x83\\xacQ\\xdf7\\x95\\x05\\x0006\\x04\\x10\\x98;\\x13&5\\xb7\\xe9\\x1d\\xee\\xf5" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1915 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7da2", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x82\\x03\\x1a\\x02\\x01\\x00\\x02\\x01\\x010\\x82\\x03\\x1006\\x04\\x10\\x0f:\\x05'\\xd2B\\xde-\\xc9\\x8e\\\\xfc\\xb1\\xe9\\x91\\xee\\x04 \\x94\\xa7T\\xd4F\\xd0\\xb9\\xbcr\\x0c9\\xb6\\xabs|)\\xc9Y\\xd8/x6\\xe9\\xb7\\xc5x\\xc6\\xd2\\x99>\\xdd\\xe2\\x05\\x0006\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x0006\\x04\\x10\\x91\\x16\\x1b\\x89K\\x11~\\xcd\\xc2Wb\\x8d\\xb4`\\xcc\\x04\\x04 \\xd4\\xc6z\\xd5\\x0e\\x19;\\x9du\\xa2!\\xd2`3\t\\x17\\x15t\\xaex,f\\xdb\\xa6D\\xa6\\x8a\\xffu\\xc0\\x7fP\\x05\\x0006\\x04\\x10\\x91\\xfa\\xd4\\x83\\xf1HH\\xa8\\xa6\\x9b\\x18\\xb8\\x05\\xcd\\xbb:\\x04 \\x064\\x8c\\xa9\r\\x7f\\xe0\\xf9\\x0cv\\xab\\x9d\\xe8\"\\xab\\xf5{\\x9a\\xb4B*\\xb4\\xf8>\\x9b\\x86\\x83\\xacQ\\xdf7\\x95\\x05\\x0006\\x04\\x10\\x98;\\x13&5\\xb7\\xe9\\x1d\\xee\\xf5Jg\\x80\\xc0" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1916 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7e31", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x82\\x03\\x1006\\x04\\x10\\x0f:\\x05'\\xd2B\\xde-\\xc9\\x8e\\\\xfc\\xb1\\xe9\\x91\\xee\\x04 \\x94\\xa7T\\xd4F\\xd0\\xb9\\xbcr\\x0c9\\xb6\\xabs|)\\xc9Y\\xd8/x6\\xe9\\xb7\\xc5x\\xc6\\xd2\\x99>\\xdd\\xe2\\x05\\x0006\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x0006\\x04\\x10\\x91\\x16\\x1b\\x89K\\x11~\\xcd\\xc2Wb\\x8d\\xb4`\\xcc\\x04\\x04 \\xd4\\xc6z\\xd5\\x0e\\x19;\\x9du\\xa2!\\xd2`3\t\\x17\\x15t\\xaex,f\\xdb\\xa6D\\xa6\\x8a\\xffu\\xc0\\x7fP\\x05\\x0006\\x04\\x10\\x91\\xfa\\xd4\\x83\\xf1HH\\xa8\\xa6\\x9b\\x18\\xb8\\x05\\xcd\\xbb:\\x04 \\x064\\x8c\\xa9\r\\x7f\\xe0\\xf9\\x0cv\\xab\\x9d\\xe8\"\\xab\\xf5{\\x9a\\xb4B*\\xb4\\xf8>\\x9b\\x86\\x83\\xacQ\\xdf7\\x95\\x05\\x0006\\x04\\x10\\x98;\\x13&5\\xb7\\xe9\\x1d\\xee\\xf5Jg\\x80\\xc0\\x92i\\x04 `\\xbd\\xedu\\xc5\\xfd" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1917 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\x0f:\\x05'\\xd2B\\xde-\\xc9\\x8e\\\\xfc\\xb1\\xe9\\x91\\xee\\x04 \\x94\\xa7T\\xd4F\\xd0\\xb9\\xbcr\\x0c9\\xb6\\xabs|)\\xc9Y\\xd8/x6\\xe9\\xb7\\xc5x\\xc6\\xd2\\x99>\\xdd\\xe2\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1918 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1919 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\x91\\x16\\x1b\\x89K\\x11~\\xcd\\xc2Wb\\x8d\\xb4`\\xcc\\x04\\x04 \\xd4\\xc6z\\xd5\\x0e\\x19;\\x9du\\xa2!\\xd2`3\t\\x17\\x15t\\xaex,f\\xdb\\xa6D\\xa6\\x8a\\xffu\\xc0\\x7fP\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1920 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\x91\\xfa\\xd4\\x83\\xf1HH\\xa8\\xa6\\x9b\\x18\\xb8\\x05\\xcd\\xbb:\\x04 \\x064\\x8c\\xa9\r\\x7f\\xe0\\xf9\\x0cv\\xab\\x9d\\xe8\"\\xab\\xf5{\\x9a\\xb4B*\\xb4\\xf8>\\x9b\\x86\\x83\\xacQ\\xdf7\\x95\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1921 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\x98;\\x13&5\\xb7\\xe9\\x1d\\xee\\xf5Jg\\x80\\xc0\\x92i\\x04 `\\xbd\\xedu\\xc5\\xfd\\x11\\x90\\x10\\xd6\\x83/v\\xde\\xfc94s\\xd7\\xa0\\xced\\xfb\\xd6\\x8d\\xab\\xa2\\x9b\\xfd\\x0b/|\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1922 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xa8#\\xb4\\xa2\\x01\\x80\\xbe\\xb4`\\xca\\xb9U\\xc2M~!\\x04 =\\xde2\\xff\\xc4p\\x9b\\xb1\\xa3\\xffv\\xd3TA\\xf4\\xae\\x7f\\xe0^\\xe2\\x8a\\xe5\\xd6\\x17\\xa7[\\xd3n\\xeek\\xf5\\xca\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1923 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xa8\\x82z<\\xbd-\\x87\\xd7\\x83\\xb5\\x9b\\x80b\\xc8~\\x9a\\x04 %\\x88%;\\x9aAR$\\x14\\xad\\xc3\\xab\\xa2\\xf0\\xb8\\x17\\xbf;\\xaa\\x0cz\\x0c\\x19diO\\x7f^\\xff\\xc4\\xb9`\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1924 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xadmo\\xf3\\x1b$\\x011Q\\xf2y\\xe2j\\x8c3$\\x04 \\xd61\\xb2F\\x02|\\xa8\\x8e\\x9b\\x03BO#\\x0c\\x9f53R\\xb4\\x9a_\\x9as\\x15Vm\\xc2\\xach\\xd0X\\x16\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1925 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xbaO9r\\xe7\\xae\\xd9\\xdc\\xcd\\xc2\\x10\\xdbY\\xda\\x13\\xc9\\x04 \\xe5\\xd4\\x7f\\x02\\xf2t\\x97\\x81\\xc1\\x84\\xab<\\x0fT\\x9eqk\\xb21BJr\\x1f\\xec;\\xdf\\xa17G\\x9e\\x1e\\x15\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1926 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xbb\\x04\\x8f\\x1889_o\\xc3\\xa1\\xf3\\xd2\\xb7\\xe9vT\\x04 J\\xbb\\x05\\x94\\xd3\\x03\\xefpw\\x13\\x884\\xab1^\\x94\\x1e\\x960\\x93\\xe0[K\\x14\\xaf]\\xcbRw\\x12\\xc0\n\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1927 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xd0\\xfd<\\x9c8\r{e\\xe2k\\x9a?\\xed\\xd3\\x9b\\x8f\\x04 9\\xa4u\\x87\\x0b\\xf2\\xb4\\x8cR\\x03\\xa0\\x8e\\xa5\"y\\xbc\\xe7\\x1a\\xbb\\x8d>7\\xe0k\\x89\\x07\\xa2g\\xec\\xd7\\xdaj\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1928 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xd6`0\\xcd\\xb7\\x92\\x86\\xc9\\xcb\\xee\\x93\\xc1O\\xa3\\x99\\xcc\\x04 E\\xbaB\\xfe\\xb2v\\x9a\\x95c\\xfaQ\\xcc'\\xdd\\x14\\x96\\xef\\xd0\\xe4\\xc5\\xd1\\x96\\x89\\x803\\x17\\x8c\\xc8u\\x8fP\\xca\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1929 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xd8\\xb5\\xfb6\\x84hb\\x02u\\xd1B\\xff\\xd2\\xaa\\xde7\\x04 p\\x8f\\x94en\\xadw\\x16k\\xe938[7\\xb7\\xd5\\x8f\\x7f\\x10\\xb2\\x8c\\x12ld\\xa7\\x86\\x1b\\xc6k\\xb6g\\xc4\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1930 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xfaF\\xce|\\xbb\\x85\\xcf\\xb41\\x00u1:\t\\xee\\x05\\x04 H\\xa0:\\xf5\\x0b\\xc5\\xa1\\xf9q\\xc0\\xc1\\x93\\x8b\n\\xb2\\xd5\\x9bT\\x86\\x9e\\x18\\x01\\xf3x\\x1d^\\x1c\\xd2\\xf7\\xe3\\x93\\x91\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1931 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7da2", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x81\\xb1\\x02\\x01\\x00\\x02\\x01\\x010\\x81\\xa806\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x0006\\x04\\x10\\xbb\\x04\\x8f\\x1889_o\\xc3\\xa1\\xf3\\xd2\\xb7\\xe9vT\\x04 J\\xbb\\x05\\x94\\xd3\\x03\\xefpw\\x13\\x884\\xab1^\\x94\\x1e\\x960\\x93\\xe0[K\\x14\\xaf]\\xcbRw\\x12\\xc0\n\\x05\\x0006\\x04\\x10\\xd8\\xb5\\xfb6\\x84hb\\x02u\\xd1B\\xff\\xd2\\xaa\\xde7\\x04 p\\x8f\\x94en\\xadw\\x16k\\xe938[7\\xb7\\xd5\\x8f\\x7f\\x10\\xb2\\x8c\\x12ld\\xa7\\x86\\x1b\\xc6k\\xb6g\\xc4\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1932 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7e31", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x81\\xa806\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x0006\\x04\\x10\\xbb\\x04\\x8f\\x1889_o\\xc3\\xa1\\xf3\\xd2\\xb7\\xe9vT\\x04 J\\xbb\\x05\\x94\\xd3\\x03\\xefpw\\x13\\x884\\xab1^\\x94\\x1e\\x960\\x93\\xe0[K\\x14\\xaf]\\xcbRw\\x12\\xc0\n\\x05\\x0006\\x04\\x10\\xd8\\xb5\\xfb6\\x84hb\\x02u\\xd1B\\xff\\xd2\\xaa\\xde7\\x04 p\\x8f\\x94en\\xadw\\x16k\\xe938[7\\xb7\\xd5\\x8f\\x7f\\x10\\xb2\\x8c\\x12ld\\xa7\\x86\\x1b\\xc6k\\xb6g\\xc4\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1933 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1934 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xbb\\x04\\x8f\\x1889_o\\xc3\\xa1\\xf3\\xd2\\xb7\\xe9vT\\x04 J\\xbb\\x05\\x94\\xd3\\x03\\xefpw\\x13\\x884\\xab1^\\x94\\x1e\\x960\\x93\\xe0[K\\x14\\xaf]\\xcbRw\\x12\\xc0\n\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1935 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xd8\\xb5\\xfb6\\x84hb\\x02u\\xd1B\\xff\\xd2\\xaa\\xde7\\x04 p\\x8f\\x94en\\xadw\\x16k\\xe938[7\\xb7\\xd5\\x8f\\x7f\\x10\\xb2\\x8c\\x12ld\\xa7\\x86\\x1b\\xc6k\\xb6g\\xc4\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1936 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7da2", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0@\\x02\\x01\\x00\\x02\\x01\\x010806\\x04\\x10\\xbb\\x04\\x8f\\x1889_o\\xc3\\xa1\\xf3\\xd2\\xb7\\xe9vT\\x04 J\\xbb\\x05\\x94\\xd3\\x03\\xefpw\\x13\\x884\\xab1^\\x94\\x1e\\x960\\x93\\xe0[K\\x14\\xaf]\\xcbRw\\x12\\xc0\n\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1937 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7e31", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0806\\x04\\x10\\xbb\\x04\\x8f\\x1889_o\\xc3\\xa1\\xf3\\xd2\\xb7\\xe9vT\\x04 J\\xbb\\x05\\x94\\xd3\\x03\\xefpw\\x13\\x884\\xab1^\\x94\\x1e\\x960\\x93\\xe0[K\\x14\\xaf]\\xcbRw\\x12\\xc0\n\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1938 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xbb\\x04\\x8f\\x1889_o\\xc3\\xa1\\xf3\\xd2\\xb7\\xe9vT\\x04 J\\xbb\\x05\\x94\\xd3\\x03\\xefpw\\x13\\x884\\xab1^\\x94\\x1e\\x960\\x93\\xe0[K\\x14\\xaf]\\xcbRw\\x12\\xc0\n\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1939 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7da2", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0@\\x02\\x01\\x00\\x02\\x01\\x010806\\x04\\x10\\x02\\x87v\\xeb\\x1e}\\xaeb\\xa5+\\xd5\n\\xa1[\\x9a]\\x04 \\x05\\xbe\\xf6\\xeb\\xdd\\xa8\\x0f=\\x15\\x07>K\\xde\\x9e\\x9f\\x9d\\xaau\\xf0\\xa5\\xa7p:c\\xaca<\\xf4>\\x14\\x08\\xc4\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1940 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7e31", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0806\\x04\\x10\\x02\\x87v\\xeb\\x1e}\\xaeb\\xa5+\\xd5\n\\xa1[\\x9a]\\x04 \\x05\\xbe\\xf6\\xeb\\xdd\\xa8\\x0f=\\x15\\x07>K\\xde\\x9e\\x9f\\x9d\\xaau\\xf0\\xa5\\xa7p:c\\xaca<\\xf4>\\x14\\x08\\xc4\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1941 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\x02\\x87v\\xeb\\x1e}\\xaeb\\xa5+\\xd5\n\\xa1[\\x9a]\\x04 \\x05\\xbe\\xf6\\xeb\\xdd\\xa8\\x0f=\\x15\\x07>K\\xde\\x9e\\x9f\\x9d\\xaau\\xf0\\xa5\\xa7p:c\\xaca<\\xf4>\\x14\\x08\\xc4\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1942 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7da2", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x08\\x02\\x01\\x00\\x02\\x01\\x010\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1943 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7e31", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1944 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7da2", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x82\\x03\\x1a\\x02\\x01\\x00\\x02\\x01\\x010\\x82\\x03\\x1006\\x04\\x10V\\x8f\\x1c\\xb8\\xa3\t\\xda\\x17\\xf1\\x15\\x02\\xff\n\\xebp\\x80\\x04 \re(Gp#\\xc1o\\xb1\\x1e\\xe6\\xc3ZRPLND\\x1bY\\x19I\\x1f_5\\x9e\\xd5\\x0e\\xb3\\x05\\x9b\\x8a\\x05\\x0006\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x0006\\x04\\x10\\x91\\x16\\x1b\\x89K\\x11~\\xcd\\xc2Wb\\x8d\\xb4`\\xcc\\x04\\x04 \\xd4\\xc6z\\xd5\\x0e\\x19;\\x9du\\xa2!\\xd2`3\t\\x17\\x15t\\xaex,f\\xdb\\xa6D\\xa6\\x8a\\xffu\\xc0\\x7fP\\x05\\x0006\\x04\\x10\\x91\\xfa\\xd4\\x83\\xf1HH\\xa8\\xa6\\x9b\\x18\\xb8\\x05\\xcd\\xbb:\\x04 \\x064\\x8c\\xa9\r\\x7f\\xe0\\xf9\\x0cv\\xab\\x9d\\xe8\"\\xab\\xf5{\\x9a\\xb4B*\\xb4\\xf8>\\x9b\\x86\\x83\\xacQ\\xdf7\\x95\\x05\\x0006\\x04\\x10\\x98;\\x13&5\\xb7\\xe9\\x1d\\xee\\xf5Jg\\x80\\xc0" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1945 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7e31", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x82\\x03\\x1006\\x04\\x10V\\x8f\\x1c\\xb8\\xa3\t\\xda\\x17\\xf1\\x15\\x02\\xff\n\\xebp\\x80\\x04 \re(Gp#\\xc1o\\xb1\\x1e\\xe6\\xc3ZRPLND\\x1bY\\x19I\\x1f_5\\x9e\\xd5\\x0e\\xb3\\x05\\x9b\\x8a\\x05\\x0006\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x0006\\x04\\x10\\x91\\x16\\x1b\\x89K\\x11~\\xcd\\xc2Wb\\x8d\\xb4`\\xcc\\x04\\x04 \\xd4\\xc6z\\xd5\\x0e\\x19;\\x9du\\xa2!\\xd2`3\t\\x17\\x15t\\xaex,f\\xdb\\xa6D\\xa6\\x8a\\xffu\\xc0\\x7fP\\x05\\x0006\\x04\\x10\\x91\\xfa\\xd4\\x83\\xf1HH\\xa8\\xa6\\x9b\\x18\\xb8\\x05\\xcd\\xbb:\\x04 \\x064\\x8c\\xa9\r\\x7f\\xe0\\xf9\\x0cv\\xab\\x9d\\xe8\"\\xab\\xf5{\\x9a\\xb4B*\\xb4\\xf8>\\x9b\\x86\\x83\\xacQ\\xdf7\\x95\\x05\\x0006\\x04\\x10\\x98;\\x13&5\\xb7\\xe9\\x1d\\xee\\xf5Jg\\x80\\xc0\\x92i\\x04 `\\xbd\\xedu\\xc5\\xfd" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1946 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10V\\x8f\\x1c\\xb8\\xa3\t\\xda\\x17\\xf1\\x15\\x02\\xff\n\\xebp\\x80\\x04 \re(Gp#\\xc1o\\xb1\\x1e\\xe6\\xc3ZRPLND\\x1bY\\x19I\\x1f_5\\x9e\\xd5\\x0e\\xb3\\x05\\x9b\\x8a\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1947 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1948 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\x91\\x16\\x1b\\x89K\\x11~\\xcd\\xc2Wb\\x8d\\xb4`\\xcc\\x04\\x04 \\xd4\\xc6z\\xd5\\x0e\\x19;\\x9du\\xa2!\\xd2`3\t\\x17\\x15t\\xaex,f\\xdb\\xa6D\\xa6\\x8a\\xffu\\xc0\\x7fP\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1949 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\x91\\xfa\\xd4\\x83\\xf1HH\\xa8\\xa6\\x9b\\x18\\xb8\\x05\\xcd\\xbb:\\x04 \\x064\\x8c\\xa9\r\\x7f\\xe0\\xf9\\x0cv\\xab\\x9d\\xe8\"\\xab\\xf5{\\x9a\\xb4B*\\xb4\\xf8>\\x9b\\x86\\x83\\xacQ\\xdf7\\x95\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1950 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\x98;\\x13&5\\xb7\\xe9\\x1d\\xee\\xf5Jg\\x80\\xc0\\x92i\\x04 `\\xbd\\xedu\\xc5\\xfd\\x11\\x90\\x10\\xd6\\x83/v\\xde\\xfc94s\\xd7\\xa0\\xced\\xfb\\xd6\\x8d\\xab\\xa2\\x9b\\xfd\\x0b/|\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1951 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xa8#\\xb4\\xa2\\x01\\x80\\xbe\\xb4`\\xca\\xb9U\\xc2M~!\\x04 =\\xde2\\xff\\xc4p\\x9b\\xb1\\xa3\\xffv\\xd3TA\\xf4\\xae\\x7f\\xe0^\\xe2\\x8a\\xe5\\xd6\\x17\\xa7[\\xd3n\\xeek\\xf5\\xca\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1952 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xa8\\x82z<\\xbd-\\x87\\xd7\\x83\\xb5\\x9b\\x80b\\xc8~\\x9a\\x04 %\\x88%;\\x9aAR$\\x14\\xad\\xc3\\xab\\xa2\\xf0\\xb8\\x17\\xbf;\\xaa\\x0cz\\x0c\\x19diO\\x7f^\\xff\\xc4\\xb9`\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1953 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xadmo\\xf3\\x1b$\\x011Q\\xf2y\\xe2j\\x8c3$\\x04 \\xd61\\xb2F\\x02|\\xa8\\x8e\\x9b\\x03BO#\\x0c\\x9f53R\\xb4\\x9a_\\x9as\\x15Vm\\xc2\\xach\\xd0X\\x16\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1954 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xbaO9r\\xe7\\xae\\xd9\\xdc\\xcd\\xc2\\x10\\xdbY\\xda\\x13\\xc9\\x04 \\xe5\\xd4\\x7f\\x02\\xf2t\\x97\\x81\\xc1\\x84\\xab<\\x0fT\\x9eqk\\xb21BJr\\x1f\\xec;\\xdf\\xa17G\\x9e\\x1e\\x15\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1955 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xbb\\x04\\x8f\\x1889_o\\xc3\\xa1\\xf3\\xd2\\xb7\\xe9vT\\x04 J\\xbb\\x05\\x94\\xd3\\x03\\xefpw\\x13\\x884\\xab1^\\x94\\x1e\\x960\\x93\\xe0[K\\x14\\xaf]\\xcbRw\\x12\\xc0\n\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1956 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xd0\\xfd<\\x9c8\r{e\\xe2k\\x9a?\\xed\\xd3\\x9b\\x8f\\x04 9\\xa4u\\x87\\x0b\\xf2\\xb4\\x8cR\\x03\\xa0\\x8e\\xa5\"y\\xbc\\xe7\\x1a\\xbb\\x8d>7\\xe0k\\x89\\x07\\xa2g\\xec\\xd7\\xdaj\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1957 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xd6`0\\xcd\\xb7\\x92\\x86\\xc9\\xcb\\xee\\x93\\xc1O\\xa3\\x99\\xcc\\x04 E\\xbaB\\xfe\\xb2v\\x9a\\x95c\\xfaQ\\xcc'\\xdd\\x14\\x96\\xef\\xd0\\xe4\\xc5\\xd1\\x96\\x89\\x803\\x17\\x8c\\xc8u\\x8fP\\xca\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1958 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xd8\\xb5\\xfb6\\x84hb\\x02u\\xd1B\\xff\\xd2\\xaa\\xde7\\x04 p\\x8f\\x94en\\xadw\\x16k\\xe938[7\\xb7\\xd5\\x8f\\x7f\\x10\\xb2\\x8c\\x12ld\\xa7\\x86\\x1b\\xc6k\\xb6g\\xc4\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1959 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xfaF\\xce|\\xbb\\x85\\xcf\\xb41\\x00u1:\t\\xee\\x05\\x04 H\\xa0:\\xf5\\x0b\\xc5\\xa1\\xf9q\\xc0\\xc1\\x93\\x8b\n\\xb2\\xd5\\x9bT\\x86\\x9e\\x18\\x01\\xf3x\\x1d^\\x1c\\xd2\\xf7\\xe3\\x93\\x91\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1960 }, { "timestamp": "2025-11-19 20:41:29,838", "thread_id": "4092", "caller": "0x7ffee0bc7cee", "parentcaller": "0x7ffee0bca060", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "\\x17\r180601232859Z" }, { "name": "Flags", "value": "0x00000000" } ], "repeated": 0, "id": 1961 }, { "timestamp": "2025-11-19 20:41:29,854", "thread_id": "4092", "caller": "0x7ffec77a116b", "parentcaller": "0x7ffec77a0c67", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1962 }, { "timestamp": "2025-11-19 20:41:29,854", "thread_id": "4092", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05ca6000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1963 }, { "timestamp": "2025-11-19 20:41:29,854", "thread_id": "4092", "caller": "0x7ffedfaad443", "parentcaller": "0x7ffedfaabd57", "category": "network", "api": "SslEncryptPacket", "status": true, "return": "0x00000000", "arguments": [ { "name": "Buffer", "value": "GET /raw/04TKQkE1 HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: pastebin.com\r\n\r\n" }, { "name": "SequenceNumber", "value": "1" }, { "name": "BufferSize", "value": "158" } ], "repeated": 0, "id": 1964 }, { "timestamp": "2025-11-19 20:41:29,854", "thread_id": "4092", "caller": "0x7ffec77be76b", "parentcaller": "0x7ffec779d7bf", "category": "network", "api": "WSASend", "status": true, "return": "0x00000000", "arguments": [ { "name": "Socket", "value": "1164" }, { "name": "Buffer", "value": "\\x17\\x03\\x03\\x00\\xb6\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01q\\xe9h\\xd1\\xcd\\xf6F\\x15\\xd8\\x8c\\xf46h\\xfb\t\\x066&\\x00\\xbbx4\\xe5\\x89\\xbb9D\\x14\\xbe@\\xfa\\x96s2\\xfay9\\xcf\\xeeS2\\x97\\x10\\xa1\\xd6\\x8c\\xd8\\x99;\\x8d\\xeb\\x18De85\\xdc\\x9c3\\x10\\xe6\\xeb\\xe2\\xf7\\xe9r\\x82\\xa5\\x8a\\xc5dH\\x91&\\x15\\xe5T\\x1d\\x8e\\x83\\xce\\x87Sc\\xf3:{Sq\\x83M\\x97\\xf7 W\"9\\x8e\\x16d\\xa3\\xe1\\xcbH\\xd5d\\xa5\\xe7\\x12j%\\x91xr\\x98s\\x03\n\\xd5`\\\\xb3z*v\\xc0_+nIx9\\xd0M\\xa3\\xc6dz\\xbf\\x7f" } ], "repeated": 0, "id": 1965 }, { "timestamp": "2025-11-19 20:41:29,854", "thread_id": "4092", "caller": "0x7ffec77bb648", "parentcaller": "0x7ffec779c7cd", "category": "network", "api": "WSARecv", "status": false, "return": "0xffffffffffffffff", "arguments": [ { "name": "socket", "value": "1164" } ], "repeated": 0, "id": 1966 }, { "timestamp": "2025-11-19 20:41:29,885", "thread_id": "4092", "caller": "0x7ffedfaacb7e", "parentcaller": "0x7ffedfaac903", "category": "network", "api": "SslDecryptPacket", "status": true, "return": "0x00000000", "arguments": [ { "name": "Buffer", "value": "HTTP/1.1 200 OK\r\nDate: Wed, 19 Nov 2025 23:44:22 GMT\r\nContent-Type: text/plain; charset=utf-8\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nServer: cloudflare\r\nx-frame-options: DENY\r\nx-content-type-options: nosniff\r\nx-xss-protection: 1;mode=block\r\nCache-Control: public, max-age=14400\r\nAge: 1685\r\ncf-cache-status: HIT\r\nlast-modified: Wed, 19 Nov 2025 23:16:16 GMT\r\nVary: accept-encoding\r\nCF-RAY: 9a13933d5e6c35cc-ARN\r\n\r\n90\r\n00330-80000-00000-AA481 - \\x44f\r\n00326-30000-00001-AA465 - \\x412\\x43b\\x430\\x434\r\n00330-80000-00000-AA051 - \\x42d\\x43b\\x44c\\x434\\x430\\x440\r\n00326-30000-00001-AA817 - \\x41a\\x438\\x440\\x438\\x43b\\x43b\r\n" }, { "name": "SequenceNumber", "value": "1" }, { "name": "BufferSize", "value": "577" } ], "repeated": 0, "id": 1967 }, { "timestamp": "2025-11-19 20:41:29,885", "thread_id": "4092", "caller": "0x7ffec77bb648", "parentcaller": "0x7ffec779c7cd", "category": "network", "api": "WSARecv", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1164" } ], "repeated": 0, "id": 1968 }, { "timestamp": "2025-11-19 20:41:29,885", "thread_id": "4092", "caller": "0x7ffedfaacb7e", "parentcaller": "0x7ffedfaac903", "category": "network", "api": "SslDecryptPacket", "status": true, "return": "0x00000000", "arguments": [ { "name": "Buffer", "value": "0\r\n\r\n" }, { "name": "SequenceNumber", "value": "2" }, { "name": "BufferSize", "value": "5" } ], "repeated": 0, "id": 1969 }, { "timestamp": "2025-11-19 20:41:29,885", "thread_id": "1884", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpSendRequest", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x009947b0" }, { "name": "Headers", "value": "" }, { "name": "Optional", "value": "" } ], "repeated": 0, "id": 1970 }, { "timestamp": "2025-11-19 20:41:29,885", "thread_id": "1884", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpReceiveResponse", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x009947b0" } ], "repeated": 2, "id": 1971 }, { "timestamp": "2025-11-19 20:41:29,885", "thread_id": "1884", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpQueryHeaders", "status": false, "return": "0x00000000", "arguments": [ { "name": "InternetHandle", "value": "0x009947b0" } ], "repeated": 1, "id": 1972 }, { "timestamp": "2025-11-19 20:41:29,885", "thread_id": "1884", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "network", "api": "WSARecv", "status": false, "return": "0xffffffffffffffff", "arguments": [ { "name": "socket", "value": "1164" } ], "repeated": 0, "id": 1973 }, { "timestamp": "2025-11-19 20:41:29,885", "thread_id": "1884", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1974 }, { "timestamp": "2025-11-19 20:41:29,885", "thread_id": "1884", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044c" } ], "repeated": 1, "id": 1975 }, { "timestamp": "2025-11-19 20:41:29,885", "thread_id": "1884", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 1, "id": 1976 }, { "timestamp": "2025-11-19 20:41:29,885", "thread_id": "1884", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044c" } ], "repeated": 0, "id": 1977 }, { "timestamp": "2025-11-19 20:41:29,885", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpQueryHeaders", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x009947b0" } ], "repeated": 0, "id": 1978 }, { "timestamp": "2025-11-19 20:41:29,901", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\mlang" }, { "name": "DllBase", "value": "0x7ffec5430000" } ], "repeated": 0, "id": 1979 }, { "timestamp": "2025-11-19 20:41:29,901", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\mlang.dll" }, { "name": "BaseAddress", "value": "0x7ffec5430000" } ], "repeated": 0, "id": 1980 }, { "timestamp": "2025-11-19 20:41:29,901", "thread_id": "1884", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "275C23E2-3747-11D0-9FEA-00AA003F8646" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "275C23E1-3747-11D0-9FEA-00AA003F8646" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1981 }, { "timestamp": "2025-11-19 20:41:29,901", "thread_id": "1884", "caller": "0x14001f728", "parentcaller": "0x14003ee1c", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x1401313e0", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#206" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1982 }, { "timestamp": "2025-11-19 20:41:29,901", "thread_id": "1884", "caller": "0x14001f728", "parentcaller": "0x14003ee1c", "category": "misc", "api": "LoadResource", "status": true, "return": "0x1401391cc", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x1401313e0" } ], "repeated": 0, "id": 1983 }, { "timestamp": "2025-11-19 20:41:29,901", "thread_id": "1884", "caller": "0x14001f728", "parentcaller": "0x14003ee1c", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x140131340", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#4" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1984 }, { "timestamp": "2025-11-19 20:41:29,901", "thread_id": "1884", "caller": "0x14001f728", "parentcaller": "0x14003ee1c", "category": "misc", "api": "LoadResource", "status": true, "return": "0x140134f10", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x140131340" } ], "repeated": 0, "id": 1985 }, { "timestamp": "2025-11-19 20:41:29,901", "thread_id": "1884", "caller": "0x14001f744", "parentcaller": "0x14003ee1c", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010098", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 1986 }, { "timestamp": "2025-11-19 20:41:29,916", "thread_id": "1884", "caller": "0x1400b404f", "parentcaller": "0x140037c90", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000d0022" }, { "name": "Message", "value": "0x00000044" } ], "repeated": 0, "id": 1987 }, { "timestamp": "2025-11-19 20:41:29,932", "thread_id": "1884", "caller": "0x1400b4073", "parentcaller": "0x140037c90", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffecf5a0000" } ], "repeated": 1, "id": 1988 }, { "timestamp": "2025-11-19 20:41:29,948", "thread_id": "1884", "caller": "0x1400b4073", "parentcaller": "0x140037c90", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ntmarta" }, { "name": "DllBase", "value": "0x7ffedfcb0000" } ], "repeated": 0, "id": 1989 }, { "timestamp": "2025-11-19 20:41:29,948", "thread_id": "1884", "caller": "0x1400b4073", "parentcaller": "0x140037c90", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CoreMessaging" }, { "name": "DllBase", "value": "0x7ffede0b0000" } ], "repeated": 0, "id": 1990 }, { "timestamp": "2025-11-19 20:41:29,948", "thread_id": "1884", "caller": "0x1400b4073", "parentcaller": "0x140037c90", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wintypes" }, { "name": "DllBase", "value": "0x7ffedc8a0000" } ], "repeated": 0, "id": 1991 }, { "timestamp": "2025-11-19 20:41:29,948", "thread_id": "1884", "caller": "0x1400b4073", "parentcaller": "0x140037c90", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CoreUIComponents" }, { "name": "DllBase", "value": "0x7ffeddd50000" } ], "repeated": 0, "id": 1992 }, { "timestamp": "2025-11-19 20:41:29,948", "thread_id": "1884", "caller": "0x1400b4073", "parentcaller": "0x140037c90", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\textinputframework" }, { "name": "DllBase", "value": "0x7ffed8f50000" } ], "repeated": 0, "id": 1993 }, { "timestamp": "2025-11-19 20:41:29,963", "thread_id": "1884", "caller": "0x1400b2754", "parentcaller": "0x140056af0", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\msctf.dll" }, { "name": "BaseAddress", "value": "0x7ffee21a0000" } ], "repeated": 0, "id": 1994 }, { "timestamp": "2025-11-19 20:42:19,588", "thread_id": "4092", "caller": "0x7ffec77bf96a", "parentcaller": "0x7ffee34e16e9", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1995 }, { "timestamp": "2025-11-19 20:42:21,510", "thread_id": "1808", "caller": "0x7ffee34c467e", "parentcaller": "0x7ffee34c3748", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1808" } ], "repeated": 0, "id": 1996 }, { "timestamp": "2025-11-19 20:42:21,510", "thread_id": "3316", "caller": "0x7ffee34c469e", "parentcaller": "0x7ffee34c3748", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 1997 }, { "timestamp": "2025-11-19 20:42:24,151", "thread_id": "4092", "caller": "0x7ffee3347042", "parentcaller": "0x7ffee3346fa4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ac" } ], "repeated": 0, "id": 1998 }, { "timestamp": "2025-11-19 20:42:24,151", "thread_id": "4092", "caller": "0x7ffee3347042", "parentcaller": "0x7ffee3346fa4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000304" } ], "repeated": 0, "id": 1999 }, { "timestamp": "2025-11-19 20:42:24,151", "thread_id": "4092", "caller": "0x7ffee3347042", "parentcaller": "0x7ffee3346fa4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b8" } ], "repeated": 0, "id": 2000 }, { "timestamp": "2025-11-19 20:42:28,557", "thread_id": "3064", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000304" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 2001 }, { "timestamp": "2025-11-19 20:43:09,588", "thread_id": "4092", "caller": "0x7ffec77bf96a", "parentcaller": "0x7ffee34e16e9", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2002 }, { "timestamp": "2025-11-19 20:43:19,588", "thread_id": "4092", "caller": "0x7ffec77c2f51", "parentcaller": "0x7ffec77c2e76", "category": "network", "api": "shutdown", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1164" }, { "name": "how", "value": "1" } ], "repeated": 0, "id": 2003 }, { "timestamp": "2025-11-19 20:43:19,588", "thread_id": "4092", "caller": "0x7ffec77c2f60", "parentcaller": "0x7ffec77c2e76", "category": "network", "api": "closesocket", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1164" } ], "repeated": 0, "id": 2004 }, { "timestamp": "2025-11-19 20:43:19,588", "thread_id": "3612", "caller": "0x7ffee0a47358", "parentcaller": "0x7ffee0a470ef", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x902\\x00\\x00\\x00\\x00\\x00,\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3612" } ], "repeated": 0, "id": 2005 }, { "timestamp": "2025-11-19 20:43:29,588", "thread_id": "3612", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffed8a51ba7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000454" } ], "repeated": 0, "id": 2006 }, { "timestamp": "2025-11-19 20:43:31,916", "thread_id": "3064", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee2fe3081", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 2007 }, { "timestamp": "2025-11-19 20:43:35,510", "thread_id": "3844", "caller": "0x7ffee34c467e", "parentcaller": "0x7ffee34c3748", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3844" } ], "repeated": 0, "id": 2008 }, { "timestamp": "2025-11-19 20:43:35,510", "thread_id": "3844", "caller": "0x7ffee34c469e", "parentcaller": "0x7ffee34c3748", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 2009 }, { "timestamp": "2025-11-19 20:43:59,588", "thread_id": "3612", "caller": "0x7ffec77bf96a", "parentcaller": "0x7ffee34e16e9", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2010 }, { "timestamp": "2025-11-19 20:44:31,385", "thread_id": "3064", "caller": "0x7ffee2fe2f2d", "parentcaller": "0x7ffee2fe2d59", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "16" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3064" } ], "repeated": 0, "id": 2011 }, { "timestamp": "2025-11-19 20:44:31,385", "thread_id": "3064", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee2fe2ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 2012 }, { "timestamp": "2025-11-19 20:44:31,385", "thread_id": "3064", "caller": "0x7ffee2f6cd6e", "parentcaller": "0x7ffee2fe2ed4", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2013 }, { "timestamp": "2025-11-19 20:44:31,385", "thread_id": "3064", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee2fe4324", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" } ], "repeated": 0, "id": 2014 }, { "timestamp": "2025-11-19 20:44:31,385", "thread_id": "3064", "caller": "0x7ffee34c467e", "parentcaller": "0x7ffee110f79a", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3064" } ], "repeated": 0, "id": 2015 }, { "timestamp": "2025-11-19 20:44:31,385", "thread_id": "3064", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1831000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2016 }, { "timestamp": "2025-11-19 20:44:31,385", "thread_id": "3064", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1831000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2017 }, { "timestamp": "2025-11-19 20:44:31,385", "thread_id": "3064", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee2fe722d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 2018 }, { "timestamp": "2025-11-19 20:44:31,385", "thread_id": "3064", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee2fe723d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 2019 }, { "timestamp": "2025-11-19 20:44:31,385", "thread_id": "3064", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee339e41e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000304" } ], "repeated": 0, "id": 2020 }, { "timestamp": "2025-11-19 20:44:31,385", "thread_id": "3064", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee339e4e4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b8" } ], "repeated": 0, "id": 2021 }, { "timestamp": "2025-11-19 20:44:31,385", "thread_id": "3064", "caller": "0x7ffee34c469e", "parentcaller": "0x7ffee110f79a", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 2022 } ], "threads": [ "1884", "1652", "1680", "1688", "2196", "3064", "4092", "3612", "1808", "3316", "3844" ], "environ": { "UserName": "Admin", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "\"C:\\Temp\\PoliceAssist.exe\" ", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x140000000", "MainExeSize": "0x0013a000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 740, "process_name": "svchost.exe", "parent_id": 600, "module_path": "C:\\Windows\\System32\\svchost.exe", "first_seen": "2025-11-19 20:41:22,041", "calls": [ { "timestamp": "2025-11-19 20:41:24,135", "thread_id": "632", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000970" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 0 }, { "timestamp": "2025-11-19 20:41:24,713", "thread_id": "872", "caller": "0x7ffee34b5f9c", "parentcaller": "0x7ffee34b5bbb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x26c84b90000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 12, "id": 1 }, { "timestamp": "2025-11-19 20:41:25,526", "thread_id": "632", "caller": "0x7ffee10ec5f2", "parentcaller": "0x7ffee10e89f3", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000e30" }, { "name": "ThreadHandle", "value": "0x0000034c" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Windows\\system32\\wbem\\wmiprvse.exe" }, { "name": "CommandLine", "value": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "140728898424772" } ], "repeated": 0, "id": 2 }, { "timestamp": "2025-11-19 20:41:27,120", "thread_id": "632", "caller": "0x7ffee10e89f3", "parentcaller": "0x7ffee167de30", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Windows\\system32\\wbem\\wmiprvse.exe" }, { "name": "CommandLine", "value": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" }, { "name": "CreationFlags", "value": "0x00000010", "pretty_value": "CREATE_NEW_CONSOLE" }, { "name": "ProcessId", "value": "4036" }, { "name": "ThreadId", "value": "1460" }, { "name": "ProcessHandle", "value": "0x00000e30" }, { "name": "ThreadHandle", "value": "0x0000034c" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3 }, { "timestamp": "2025-11-19 20:41:29,995", "thread_id": "632", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee10be6a1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rsaenh.dll" }, { "name": "BaseAddress", "value": "0x7ffedfb90000" } ], "repeated": 0, "id": 4 }, { "timestamp": "2025-11-19 20:41:34,135", "thread_id": "632", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a8c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5 }, { "timestamp": "2025-11-19 20:41:44,120", "thread_id": "632", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000e64" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6 }, { "timestamp": "2025-11-19 20:41:54,120", "thread_id": "632", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a8c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7 }, { "timestamp": "2025-11-19 20:41:59,432", "thread_id": "3840", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000e18" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 8 }, { "timestamp": "2025-11-19 20:42:04,120", "thread_id": "3452", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000e30" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9 }, { "timestamp": "2025-11-19 20:42:14,120", "thread_id": "3452", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a48" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10 }, { "timestamp": "2025-11-19 20:42:24,120", "thread_id": "632", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000034c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11 }, { "timestamp": "2025-11-19 20:42:34,120", "thread_id": "3452", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000e30" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 2, "id": 12 }, { "timestamp": "2025-11-19 20:43:04,135", "thread_id": "912", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a8c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 13 }, { "timestamp": "2025-11-19 20:43:24,120", "thread_id": "912", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000e30" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14 }, { "timestamp": "2025-11-19 20:43:31,307", "thread_id": "3452", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffede9abe00", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000a48" }, { "name": "TargetProcessHandle", "value": "0x00000a8c" }, { "name": "TargetHandle", "value": "0x00000a48" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 15 }, { "timestamp": "2025-11-19 20:43:34,120", "thread_id": "3452", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b8" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 16 }, { "timestamp": "2025-11-19 20:43:54,120", "thread_id": "912", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000e30" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17 }, { "timestamp": "2025-11-19 20:44:04,120", "thread_id": "632", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000034c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 18 }, { "timestamp": "2025-11-19 20:44:24,135", "thread_id": "632", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000e30" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 19 } ], "threads": [ "632", "872", "3840", "3452", "912" ], "environ": { "UserName": "￑￈￑ᅭᅤᅩ￀", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff630560000", "MainExeSize": "0x00010000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 4036, "process_name": "WmiPrvSE.exe", "parent_id": 740, "module_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "first_seen": "2025-11-19 20:41:27,133", "calls": [ { "timestamp": "2025-11-19 20:41:27,180", "thread_id": "3552", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61da6000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 0 }, { "timestamp": "2025-11-19 20:41:27,180", "thread_id": "1460", "caller": "0x7ff7ccd3ca74", "parentcaller": "0x7ff7ccd3c74d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x7ffee1660000" } ], "repeated": 0, "id": 1 }, { "timestamp": "2025-11-19 20:41:27,180", "thread_id": "1460", "caller": "0x7ff7ccd3ca74", "parentcaller": "0x7ff7ccd3c74d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000001f4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2 }, { "timestamp": "2025-11-19 20:41:27,180", "thread_id": "1460", "caller": "0x7ff7ccd3ca74", "parentcaller": "0x7ff7ccd3c74d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001f8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e634d0000" }, { "name": "SectionOffset", "value": "0x8caf58f110" }, { "name": "ViewSize", "value": "0x00338000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3 }, { "timestamp": "2025-11-19 20:41:27,180", "thread_id": "1460", "caller": "0x7ff7ccd3c96b", "parentcaller": "0x7ff7ccd3c762", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\USER32.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 4 }, { "timestamp": "2025-11-19 20:41:27,180", "thread_id": "1460", "caller": "0x7ff7ccd3c96b", "parentcaller": "0x7ff7ccd3c762", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6161c000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5 }, { "timestamp": "2025-11-19 20:41:27,180", "thread_id": "1460", "caller": "0x7ff7ccd3c99f", "parentcaller": "0x7ff7ccd3c762", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000001f8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\USER32.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c99f", "parentcaller": "0x7ff7ccd3c762", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001fc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61cf0000" }, { "name": "SectionOffset", "value": "0x8caf58e590" }, { "name": "ViewSize", "value": "0x00005000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c378", "parentcaller": "0x7ff7ccd3b501", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000001fc" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rpcss.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 8 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c378", "parentcaller": "0x7ff7ccd3b501", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000200" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63810000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00143000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c378", "parentcaller": "0x7ff7ccd3b501", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63810000" }, { "name": "RegionSize", "value": "0x00143000" } ], "repeated": 0, "id": 10 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c378", "parentcaller": "0x7ff7ccd3b501", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000204" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 11 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c378", "parentcaller": "0x7ff7ccd3b501", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000208" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedea70000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c378", "parentcaller": "0x7ff7ccd3b501", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x7ffedea70000" } ], "repeated": 0, "id": 13 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c378", "parentcaller": "0x7ff7ccd3b501", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000208" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1390000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00082000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c378", "parentcaller": "0x7ff7ccd3b501", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x7ffee1390000" } ], "repeated": 0, "id": 15 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c378", "parentcaller": "0x7ff7ccd3b501", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000214" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c378", "parentcaller": "0x7ff7ccd3b501", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6161e000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c5a5", "parentcaller": "0x7ff7ccd3b501", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61624000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c5a5", "parentcaller": "0x7ff7ccd3b501", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61626000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c60b", "parentcaller": "0x7ff7ccd3b501", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x7ffee2c20000" } ], "repeated": 0, "id": 20 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c60b", "parentcaller": "0x7ff7ccd3b501", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 21 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c2ca", "parentcaller": "0x7ff7ccd3b513", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000254" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d30000" }, { "name": "SectionOffset", "value": "0x8caf58f540" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 22 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c1b9", "parentcaller": "0x7ff7ccd3b518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61da7000" }, { "name": "RegionSize", "value": "0x00008000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c1b9", "parentcaller": "0x7ff7ccd3b518", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x25e615f0150" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 9, "id": 24 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c1b9", "parentcaller": "0x7ff7ccd3b518", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00000270", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffed94c3ca0" }, { "name": "Parameter", "value": "0x25e61628950" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "2548" }, { "name": "ProcessId", "value": "4036" } ], "repeated": 0, "id": 25 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c1ff", "parentcaller": "0x7ff7ccd3b518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63810000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c1ff", "parentcaller": "0x7ff7ccd3b518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63810000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 27 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c1ff", "parentcaller": "0x7ff7ccd3b518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6162a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 28 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c1ff", "parentcaller": "0x7ff7ccd3b518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63812000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 29 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c1ff", "parentcaller": "0x7ff7ccd3b518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6162b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 30 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c1ff", "parentcaller": "0x7ff7ccd3b518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63813000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 31 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c1ff", "parentcaller": "0x7ff7ccd3b518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6162c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 32 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c1ff", "parentcaller": "0x7ff7ccd3b518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6162d000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 33 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c1ff", "parentcaller": "0x7ff7ccd3b518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63816000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 34 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c1ff", "parentcaller": "0x7ff7ccd3b518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6162f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 35 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c1ff", "parentcaller": "0x7ff7ccd3b518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61630000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 36 }, { "timestamp": "2025-11-19 20:41:27,196", "thread_id": "1460", "caller": "0x7ff7ccd3c1ff", "parentcaller": "0x7ff7ccd3b518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6381b000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 37 }, { "timestamp": "2025-11-19 20:41:29,289", "thread_id": "1460", "caller": "0x7ff7ccd3b555", "parentcaller": "0x7ff7ccd3c77a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemprox" }, { "name": "DllBase", "value": "0x7ffedc220000" } ], "repeated": 0, "id": 38 }, { "timestamp": "2025-11-19 20:41:29,289", "thread_id": "1460", "caller": "0x7ff7ccd3b555", "parentcaller": "0x7ff7ccd3c77a", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemprox.dll" }, { "name": "BaseAddress", "value": "0x7ffedc220000" } ], "repeated": 0, "id": 39 }, { "timestamp": "2025-11-19 20:41:29,289", "thread_id": "1460", "caller": "0x7ff7ccd3b555", "parentcaller": "0x7ff7ccd3c77a", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F811-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 40 }, { "timestamp": "2025-11-19 20:41:29,289", "thread_id": "2132", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002a8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 41 }, { "timestamp": "2025-11-19 20:41:29,289", "thread_id": "2132", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61642000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 42 }, { "timestamp": "2025-11-19 20:41:29,289", "thread_id": "1460", "caller": "0x7ff7ccd3b5bc", "parentcaller": "0x7ff7ccd3c77a", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000032A-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000149-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 43 }, { "timestamp": "2025-11-19 20:41:29,289", "thread_id": "1460", "caller": "0x7ff7ccd3b5bc", "parentcaller": "0x7ff7ccd3c77a", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 44 }, { "timestamp": "2025-11-19 20:41:29,289", "thread_id": "1460", "caller": "0x7ff7ccd3b5bc", "parentcaller": "0x7ff7ccd3c77a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemsvc" }, { "name": "DllBase", "value": "0x7ffedb270000" } ], "repeated": 0, "id": 45 }, { "timestamp": "2025-11-19 20:41:29,289", "thread_id": "1460", "caller": "0x7ff7ccd3b5bc", "parentcaller": "0x7ff7ccd3c77a", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemsvc.dll" }, { "name": "BaseAddress", "value": "0x7ffedb270000" } ], "repeated": 0, "id": 46 }, { "timestamp": "2025-11-19 20:41:29,289", "thread_id": "1460", "caller": "0x7ff7ccd3b5bc", "parentcaller": "0x7ff7ccd3c77a", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "8BC3F05E-D86B-11D0-A075-00C04FB68820" }, { "name": "ClsContext", "value": "0x00000014", "pretty_value": "CLSCTX_LOCAL_SERVER|CLSCTX_REMOTE_SERVER" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 47 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "1460", "caller": "0x7ff7ccd3b5bc", "parentcaller": "0x7ff7ccd3c77a", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\fastprox.dll" }, { "name": "BaseAddress", "value": "0x7ffed3fc0000" } ], "repeated": 0, "id": 48 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "1460", "caller": "0x7ff7ccd3b5bc", "parentcaller": "0x7ff7ccd3c77a", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 49 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "1460", "caller": "0x7ff7ccd3dafb", "parentcaller": "0x7ff7ccd3b615", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 2, "id": 50 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "1460", "caller": "0x7ff7ccd3b1d8", "parentcaller": "0x7ff7ccd3b33c", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000002cc", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff7ccd3b120" }, { "name": "Parameter", "value": "0x25e6164aa80" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "2200" }, { "name": "ProcessId", "value": "4036" } ], "repeated": 0, "id": 51 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "2188", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002fc" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 52 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "2188", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6164d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 53 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "2188", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6164e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 54 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "2188", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 55 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "2188", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61651000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 56 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "2188", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61652000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 57 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "2188", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61653000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 58 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "2188", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61654000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 59 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "2188", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 60 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "2188", "caller": "0x7ffed3feaddd", "parentcaller": "0x7ffed3fea3b7", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 61 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "2188", "caller": "0x7ff7ccd3f038", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wmiutils" }, { "name": "DllBase", "value": "0x7ffed9560000" } ], "repeated": 0, "id": 62 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "2188", "caller": "0x7ff7ccd3f038", "parentcaller": "0x00000000", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wmiutils.dll" }, { "name": "BaseAddress", "value": "0x7ffed9560000" } ], "repeated": 0, "id": 63 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "2188", "caller": "0x7ff7ccd3f038", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 64 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "2188", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee2f66d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000030c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 65 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "2188", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61659000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 66 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "2188", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 67 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "2188", "caller": "0x7ff7ccd31cb2", "parentcaller": "0x7ff7ccd31a68", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6165c000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 68 }, { "timestamp": "2025-11-19 20:41:29,321", "thread_id": "2188", "caller": "0x7ff7ccd31cb2", "parentcaller": "0x7ff7ccd31a68", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 69 }, { "timestamp": "2025-11-19 20:41:29,321", "thread_id": "2188", "caller": "0x7ff7ccd31cb2", "parentcaller": "0x7ff7ccd31a68", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6165e000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 70 }, { "timestamp": "2025-11-19 20:41:29,321", "thread_id": "2188", "caller": "0x7ff7ccd34e98", "parentcaller": "0x7ff7ccd31ab3", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 71 }, { "timestamp": "2025-11-19 20:41:29,321", "thread_id": "2188", "caller": "0x7ff7ccd34ef3", "parentcaller": "0x7ff7ccd31ab3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61660000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 72 }, { "timestamp": "2025-11-19 20:41:29,321", "thread_id": "2188", "caller": "0x7ff7ccd34ef3", "parentcaller": "0x7ff7ccd31ab3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61663000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 73 }, { "timestamp": "2025-11-19 20:41:29,321", "thread_id": "2188", "caller": "0x7ff7ccd356cb", "parentcaller": "0x7ff7ccd35514", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\powrprof" }, { "name": "DllBase", "value": "0x7ffee09f0000" } ], "repeated": 0, "id": 74 }, { "timestamp": "2025-11-19 20:41:29,321", "thread_id": "2188", "caller": "0x7ff7ccd356cb", "parentcaller": "0x7ff7ccd35514", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\framedynos" }, { "name": "DllBase", "value": "0x7ffeca3f0000" } ], "repeated": 0, "id": 75 }, { "timestamp": "2025-11-19 20:41:29,321", "thread_id": "2188", "caller": "0x7ff7ccd356cb", "parentcaller": "0x7ff7ccd35514", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\cimwin32" }, { "name": "DllBase", "value": "0x7ffeca0f0000" } ], "repeated": 0, "id": 76 }, { "timestamp": "2025-11-19 20:41:29,321", "thread_id": "2188", "caller": "0x7ff7ccd356cb", "parentcaller": "0x7ff7ccd35514", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\UMPDC" }, { "name": "DllBase", "value": "0x7ffee09d0000" } ], "repeated": 0, "id": 77 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "2188", "caller": "0x7ff7ccd356cb", "parentcaller": "0x7ff7ccd35514", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\cimwin32.dll" }, { "name": "BaseAddress", "value": "0x7ffeca0f0000" } ], "repeated": 0, "id": 78 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "2188", "caller": "0x7ff7ccd356cb", "parentcaller": "0x7ff7ccd35514", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "D63A5850-8F16-11CF-9F47-00AA00BF345C" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 79 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "2188", "caller": "0x7ff7ccd3998d", "parentcaller": "0x7ff7ccd3899b", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 80 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "2188", "caller": "0x7ff7ccd37ab2", "parentcaller": "0x7ff7ccd35b48", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 81 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "2188", "caller": "0x7ff7ccd3e7c7", "parentcaller": "0x7ff7ccd3e590", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61664000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 82 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "2188", "caller": "0x7ffed3fea4f0", "parentcaller": "0x7ffed3fea195", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 83 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "2188", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61667000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 84 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "2188", "caller": "0x7ff7ccd3f72f", "parentcaller": "0x00000000", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6166a000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 85 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "2188", "caller": "0x7ffed3feaddd", "parentcaller": "0x7ffed3fea3b7", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 86 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "2188", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 87 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "2188", "caller": "0x7ffed3feaddd", "parentcaller": "0x7ffee2fc0030", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 88 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 89 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6166c000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 90 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61672000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 91 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002e8" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\winbrand.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 92 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000330" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffecbda0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00035000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 93 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\winbrand" }, { "name": "DllBase", "value": "0x7ffecbda0000" } ], "repeated": 0, "id": 94 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\basebrd.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 95 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000334" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0016a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 96 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "RegionSize", "value": "0x0016a000" } ], "repeated": 0, "id": 97 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000334" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\basebrd.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 98 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000032c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0016a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 99 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\ru-RU\\Basebrd.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 100 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000334" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d60000" }, { "name": "SectionOffset", "value": "0x8cafd7b140" }, { "name": "ViewSize", "value": "0x00003000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 101 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 102 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "wldp.dll" }, { "name": "BaseAddress", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 103 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61675000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 104 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 105 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 106 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d60000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 107 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "RegionSize", "value": "0x0016a000" } ], "repeated": 0, "id": 108 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\basebrd.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 109 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000334" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0016a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 110 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "RegionSize", "value": "0x0016a000" } ], "repeated": 0, "id": 111 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000334" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\basebrd.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 112 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000032c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0016a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 113 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\ru-RU\\Basebrd.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 114 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000334" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d60000" }, { "name": "SectionOffset", "value": "0x8cafd7b140" }, { "name": "ViewSize", "value": "0x00003000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 115 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 116 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "wldp.dll" }, { "name": "BaseAddress", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 117 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 118 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 119 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d60000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 120 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "RegionSize", "value": "0x0016a000" } ], "repeated": 0, "id": 121 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 122 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61677000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 123 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\basebrd.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 124 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000334" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0016a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 125 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "RegionSize", "value": "0x0016a000" } ], "repeated": 0, "id": 126 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000334" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\basebrd.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 127 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000032c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0016a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 128 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\ru-RU\\Basebrd.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 129 }, { "timestamp": "2025-11-19 20:41:29,352", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000334" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d60000" }, { "name": "SectionOffset", "value": "0x8cafd7ba30" }, { "name": "ViewSize", "value": "0x00003000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 130 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 131 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "wldp.dll" }, { "name": "BaseAddress", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 132 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 133 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 134 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d60000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 135 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "RegionSize", "value": "0x0016a000" } ], "repeated": 0, "id": 136 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\basebrd.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 137 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000334" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0016a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 138 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "RegionSize", "value": "0x0016a000" } ], "repeated": 0, "id": 139 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000334" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\basebrd.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 140 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000032c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0016a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 141 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\ru-RU\\Basebrd.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 142 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000334" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d60000" }, { "name": "SectionOffset", "value": "0x8cafd7ba30" }, { "name": "ViewSize", "value": "0x00003000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 143 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 144 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "wldp.dll" }, { "name": "BaseAddress", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 145 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 146 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 147 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d60000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 148 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "RegionSize", "value": "0x0016a000" } ], "repeated": 0, "id": 149 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\SECURITY" }, { "name": "DllBase", "value": "0x25e61d60000" } ], "repeated": 0, "id": 150 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "SECURITY.DLL" }, { "name": "BaseAddress", "value": "0x25e61d60000" } ], "repeated": 0, "id": 151 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\secur32.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 152 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000300" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedc850000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000c000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 153 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\SECUR32" }, { "name": "DllBase", "value": "0x7ffedc850000" } ], "repeated": 0, "id": 154 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6167a000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 155 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\schannel" }, { "name": "DllBase", "value": "0x7ffedfaa0000" } ], "repeated": 0, "id": 156 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\schannel.dll" }, { "name": "BaseAddress", "value": "0x7ffedfaa0000" } ], "repeated": 0, "id": 157 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6167c000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 158 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x0000037c", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffeca0fd930" }, { "name": "Parameter", "value": "0x7ffeca2e4460" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "3824" }, { "name": "ProcessId", "value": "4036" } ], "repeated": 0, "id": 159 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d70000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 160 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6167e000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 161 }, { "timestamp": "2025-11-19 20:41:29,368", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\tzres.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 162 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000390" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d70000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00003000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 163 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\tzres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 164 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000390" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d80000" }, { "name": "SectionOffset", "value": "0x8cafd7b240" }, { "name": "ViewSize", "value": "0x0000b000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 165 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d80000" }, { "name": "RegionSize", "value": "0x0000b000" } ], "repeated": 0, "id": 166 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d70000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 167 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\tzres.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 168 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000390" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d70000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00003000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 169 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\tzres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 170 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000390" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d80000" }, { "name": "SectionOffset", "value": "0x8cafd7b240" }, { "name": "ViewSize", "value": "0x0000b000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 171 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d80000" }, { "name": "RegionSize", "value": "0x0000b000" } ], "repeated": 0, "id": 172 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61d70000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 173 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 174 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "3852", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e61681000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 175 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ffed3feaddd", "parentcaller": "0x7ffed3fea3b7", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 176 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 177 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ffee34e1963", "parentcaller": "0x7ffee34e18a2", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e615c2000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 178 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6168a000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 179 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6168c000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 180 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee2f66d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000390" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 181 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 182 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ffed3feaddd", "parentcaller": "0x7ffee2fc0030", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 183 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ff7ccd3906c", "parentcaller": "0x7ff7ccd38cc3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 184 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ff7ccd3906c", "parentcaller": "0x7ff7ccd38cc3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6169d000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 185 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ff7ccd3906c", "parentcaller": "0x7ff7ccd38cc3", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "NTDLL.DLL" }, { "name": "BaseAddress", "value": "0x7ffee3470000" } ], "repeated": 0, "id": 186 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ff7ccd3906c", "parentcaller": "0x7ff7ccd38cc3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63835000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 187 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ff7ccd3906c", "parentcaller": "0x7ff7ccd38cc3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6383e000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 188 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ff7ccd3906c", "parentcaller": "0x7ff7ccd38cc3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63835000" }, { "name": "RegionSize", "value": "0x00019000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 189 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ff7ccd3906c", "parentcaller": "0x7ff7ccd38cc3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616a3000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 190 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ff7ccd34661", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616a6000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 191 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ff7ccd34661", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616a9000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 192 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ff7ccd34661", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616ac000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 193 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ff7ccd34661", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616af000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 194 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ff7ccd34661", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616b2000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 195 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ff7ccd34661", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616b5000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 196 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ff7ccd34661", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616b8000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 197 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2132", "caller": "0x7ff7ccd34661", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616bb000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 198 }, { "timestamp": "2025-11-19 20:41:29,399", "thread_id": "2132", "caller": "0x7ff7ccd34661", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616be000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 199 }, { "timestamp": "2025-11-19 20:41:29,399", "thread_id": "2132", "caller": "0x7ff7ccd34661", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616c1000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 200 }, { "timestamp": "2025-11-19 20:41:29,399", "thread_id": "2132", "caller": "0x7ff7ccd34661", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616c2000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 201 }, { "timestamp": "2025-11-19 20:41:29,399", "thread_id": "2132", "caller": "0x7ff7ccd3906c", "parentcaller": "0x7ff7ccd38cc3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616c5000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 202 }, { "timestamp": "2025-11-19 20:41:29,399", "thread_id": "2132", "caller": "0x7ff7ccd34661", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616c8000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 203 }, { "timestamp": "2025-11-19 20:41:29,399", "thread_id": "2132", "caller": "0x7ff7ccd34661", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616cb000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 204 }, { "timestamp": "2025-11-19 20:41:29,399", "thread_id": "2132", "caller": "0x7ff7ccd34661", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616ce000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 205 }, { "timestamp": "2025-11-19 20:41:29,399", "thread_id": "2132", "caller": "0x7ff7ccd34661", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 206 }, { "timestamp": "2025-11-19 20:41:29,399", "thread_id": "2132", "caller": "0x7ff7ccd34661", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63910000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 207 }, { "timestamp": "2025-11-19 20:41:29,399", "thread_id": "2132", "caller": "0x7ff7ccd34895", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63916000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 208 }, { "timestamp": "2025-11-19 20:41:29,399", "thread_id": "2132", "caller": "0x7ff7ccd34895", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63919000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 209 }, { "timestamp": "2025-11-19 20:41:29,399", "thread_id": "2132", "caller": "0x7ff7ccd348d0", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616a4000" }, { "name": "RegionSize", "value": "0x0000a000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 210 }, { "timestamp": "2025-11-19 20:41:29,399", "thread_id": "2132", "caller": "0x7ff7ccd348d0", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616a4000" }, { "name": "RegionSize", "value": "0x0001a000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 211 }, { "timestamp": "2025-11-19 20:41:29,399", "thread_id": "2132", "caller": "0x7ff7ccd3906c", "parentcaller": "0x7ff7ccd38cc3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e616ed000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 212 }, { "timestamp": "2025-11-19 20:41:29,399", "thread_id": "2132", "caller": "0x7ff7ccd34661", "parentcaller": "0x7ff7ccd3906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e6391c000" }, { "name": "RegionSize", "value": "0x00043000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 213 }, { "timestamp": "2025-11-19 20:41:29,414", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63915000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 214 }, { "timestamp": "2025-11-19 20:41:29,414", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\NETAPI32" }, { "name": "DllBase", "value": "0x7ffed6960000" } ], "repeated": 0, "id": 215 }, { "timestamp": "2025-11-19 20:41:29,414", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "NETAPI32.DLL" }, { "name": "BaseAddress", "value": "0x7ffed6960000" } ], "repeated": 0, "id": 216 }, { "timestamp": "2025-11-19 20:41:29,414", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003a0" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\samcli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 217 }, { "timestamp": "2025-11-19 20:41:29,414", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed5050000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00019000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 218 }, { "timestamp": "2025-11-19 20:41:29,414", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\SAMCLI" }, { "name": "DllBase", "value": "0x7ffed5050000" } ], "repeated": 0, "id": 219 }, { "timestamp": "2025-11-19 20:41:29,414", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003a0" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\srvcli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 220 }, { "timestamp": "2025-11-19 20:41:29,414", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000394" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed6e00000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00028000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 221 }, { "timestamp": "2025-11-19 20:41:29,414", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\SRVCLI" }, { "name": "DllBase", "value": "0x7ffed6e00000" } ], "repeated": 0, "id": 222 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003b4" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\netutils.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 223 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003b8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0060000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000c000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 224 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\NETUTILS" }, { "name": "DllBase", "value": "0x7ffee0060000" } ], "repeated": 0, "id": 225 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003b4" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\logoncli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 226 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000394" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0070000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00043000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 227 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\LOGONCLI" }, { "name": "DllBase", "value": "0x7ffee0070000" } ], "repeated": 0, "id": 228 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003c0" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\schedcli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 229 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003c4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedc210000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000c000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 230 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\SCHEDCLI" }, { "name": "DllBase", "value": "0x7ffedc210000" } ], "repeated": 0, "id": 231 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003c0" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wkscli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 232 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000394" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfcf0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00019000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 233 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\WKSCLI" }, { "name": "DllBase", "value": "0x7ffedfcf0000" } ], "repeated": 0, "id": 234 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003c8" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\dsrole.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 235 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003cc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedc560000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000a000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 236 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\DSROLE" }, { "name": "DllBase", "value": "0x7ffedc560000" } ], "repeated": 0, "id": 237 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "wkscli.dll" }, { "name": "BaseAddress", "value": "0x7ffedfcf0000" } ], "repeated": 0, "id": 238 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003d4" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PIPE\\wkssvc" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 239 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003d4" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\wkssvc" }, { "name": "FileInformationClass", "value": "23", "pretty_value": "FilePipeInformation" }, { "name": "FileInformation", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 240 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003d4" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\wkssvc" }, { "name": "FileInformationClass", "value": "41", "pretty_value": "FileIoStatusBlockRangeInformation" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 241 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003d4" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\wkssvc" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8>ca^\\x02\\x00\\x00" } ], "repeated": 0, "id": 242 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\cscapi" }, { "name": "DllBase", "value": "0x7ffece280000" } ], "repeated": 0, "id": 243 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "cscapi.dll" }, { "name": "BaseAddress", "value": "0x7ffece280000" } ], "repeated": 0, "id": 244 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003ec" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PIPE\\srvsvc" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 245 }, { "timestamp": "2025-11-19 20:41:29,430", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003ec" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\srvsvc" }, { "name": "FileInformationClass", "value": "23", "pretty_value": "FilePipeInformation" }, { "name": "FileInformation", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 246 }, { "timestamp": "2025-11-19 20:41:29,446", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003ec" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\srvsvc" }, { "name": "FileInformationClass", "value": "41", "pretty_value": "FileIoStatusBlockRangeInformation" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 247 }, { "timestamp": "2025-11-19 20:41:29,446", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003ec" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\srvsvc" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8>ca^\\x02\\x00\\x00" } ], "repeated": 0, "id": 248 }, { "timestamp": "2025-11-19 20:41:29,446", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PIPE\\srvsvc" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 249 }, { "timestamp": "2025-11-19 20:41:29,446", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e8" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\srvsvc" }, { "name": "FileInformationClass", "value": "23", "pretty_value": "FilePipeInformation" }, { "name": "FileInformation", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 250 }, { "timestamp": "2025-11-19 20:41:29,446", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e8" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\srvsvc" }, { "name": "FileInformationClass", "value": "41", "pretty_value": "FileIoStatusBlockRangeInformation" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 251 }, { "timestamp": "2025-11-19 20:41:29,446", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e8" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\srvsvc" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8>ca^\\x02\\x00\\x00" } ], "repeated": 0, "id": 252 }, { "timestamp": "2025-11-19 20:41:29,446", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "KERNEL32.DLL" }, { "name": "BaseAddress", "value": "0x7ffee1660000" } ], "repeated": 0, "id": 253 }, { "timestamp": "2025-11-19 20:41:29,446", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003a4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\ru-RU\\cimwin32.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 254 }, { "timestamp": "2025-11-19 20:41:29,446", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003e0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x25e63a10000" }, { "name": "SectionOffset", "value": "0x8cafd7b730" }, { "name": "ViewSize", "value": "0x00003000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 255 }, { "timestamp": "2025-11-19 20:41:29,446", "thread_id": "2188", "caller": "0x7ff7ccd4158d", "parentcaller": "0x7ff7ccd411eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "OLEAUT32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2a80000" } ], "repeated": 0, "id": 256 }, { "timestamp": "2025-11-19 20:42:32,680", "thread_id": "2128", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000003e0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 257 } ], "threads": [ "3552", "1460", "2132", "2188", "3852", "2128" ], "environ": { "UserName": "HOME-PC$", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff7ccd30000", "MainExeSize": "0x0007e000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 1756, "process_name": "svchost.exe", "parent_id": 600, "module_path": "C:\\Windows\\System32\\svchost.exe", "first_seen": "2025-11-19 20:41:27,227", "calls": [ { "timestamp": "2025-11-19 20:41:29,289", "thread_id": "1780", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 0 }, { "timestamp": "2025-11-19 20:41:29,289", "thread_id": "1780", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffed967359f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemcore.dll" }, { "name": "BaseAddress", "value": "0x7ffed40d0000" } ], "repeated": 0, "id": 1 }, { "timestamp": "2025-11-19 20:41:29,289", "thread_id": "1780", "caller": "0x7ffed96735f7", "parentcaller": "0x7ffee2f7b20e", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4FA18276-912A-11D1-AD9B-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 2 }, { "timestamp": "2025-11-19 20:41:29,289", "thread_id": "1780", "caller": "0x7ffed43d3a1a", "parentcaller": "0x7ffed40e8f9b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 3 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "1780", "caller": "0x7ffed95f2c1e", "parentcaller": "0x7ffed40e9057", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 4 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "1780", "caller": "0x7ffed3fea4f0", "parentcaller": "0x7ffed3fea195", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 5 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "3240", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 6 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "3240", "caller": "0x7ffed43d4e9b", "parentcaller": "0x7ffed43d6a2f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 7 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "3240", "caller": "0x7ffed40e6b2d", "parentcaller": "0x7ffed43ccae0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 8 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "3240", "caller": "0x7ffed3fea4f0", "parentcaller": "0x7ffed3fea195", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 9 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "3240", "caller": "0x7ffed43d4e9b", "parentcaller": "0x7ffed43d6a2f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 10 }, { "timestamp": "2025-11-19 20:41:29,305", "thread_id": "1780", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 11 }, { "timestamp": "2025-11-19 20:41:29,321", "thread_id": "3428", "caller": "0x7ffed9562508", "parentcaller": "0x7ffed9564a51", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 7, "id": 12 }, { "timestamp": "2025-11-19 20:41:29,321", "thread_id": "1780", "caller": "0x7ffed3fea4f0", "parentcaller": "0x7ffed3fcd5b5", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 13 }, { "timestamp": "2025-11-19 20:41:29,321", "thread_id": "1780", "caller": "0x7ffed40e8250", "parentcaller": "0x7ffee33bb583", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 14 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "3240", "caller": "0x7ffed43d4e9b", "parentcaller": "0x7ffed43d6a2f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 15 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "3240", "caller": "0x7ffed3feaddd", "parentcaller": "0x7ffed3fea3b7", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 16 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "3240", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffed95eb50c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000005c4" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000068c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 17 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "3240", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffed95eb50c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000005c4" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000694" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 18 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "3428", "caller": "0x7ffed43d2823", "parentcaller": "0x7ffed43d978f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 19 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "3428", "caller": "0x7ffed3feaddd", "parentcaller": "0x7ffed3fea3b7", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 20 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "3428", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006b8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 21 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "3428", "caller": "0x7ffed3fea85f", "parentcaller": "0x7ffed3fea778", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 22 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "3428", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee2f66d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000698" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 23 }, { "timestamp": "2025-11-19 20:41:29,336", "thread_id": "1780", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 24 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "1780", "caller": "0x7ffed3fea4f0", "parentcaller": "0x7ffed3fcd5b5", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 25 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "1780", "caller": "0x7ffed40e8250", "parentcaller": "0x7ffee33bb583", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 26 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "3240", "caller": "0x7ffee10fbefb", "parentcaller": "0x7ffed5dea158", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000318" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xc0\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 27 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "3240", "caller": "0x7ffee10fbefb", "parentcaller": "0x7ffed5dea158", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000318" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xe0\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 28 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "3240", "caller": "0x7ffee10fbefb", "parentcaller": "0x7ffed5dea158", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000318" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 29 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "3240", "caller": "0x7ffee10fbefb", "parentcaller": "0x7ffed5dea158", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000318" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00 h\\x01\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 30 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "3240", "caller": "0x7ffed3fea4f0", "parentcaller": "0x7ffed3fea195", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 31 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "2440", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006d0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 32 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "3240", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffed95eb50c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000006c8" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006d4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 33 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "3240", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffed95eb50c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000006c8" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006d8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 34 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "3160", "caller": "0x7ffed43d2823", "parentcaller": "0x7ffed43cffb3", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 35 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "3160", "caller": "0x7ffed3feaddd", "parentcaller": "0x7ffed3fea3b7", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 36 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "3160", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000678" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 37 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "3160", "caller": "0x7ffed3fea85f", "parentcaller": "0x7ffed3fea778", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 38 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "3160", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee2f66d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000674" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 39 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "3816", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000066c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 40 }, { "timestamp": "2025-11-19 20:41:29,383", "thread_id": "3816", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 41 }, { "timestamp": "2025-11-19 20:41:29,399", "thread_id": "3816", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 42 }, { "timestamp": "2025-11-19 20:42:17,446", "thread_id": "2684", "caller": "0x7ff630564340", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4FA18276-912A-11D1-AD9B-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 43 }, { "timestamp": "2025-11-19 20:42:17,446", "thread_id": "2684", "caller": "0x7ff630564340", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 44 }, { "timestamp": "2025-11-19 20:42:17,446", "thread_id": "2684", "caller": "0x7ff630564340", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 45 }, { "timestamp": "2025-11-19 20:42:20,821", "thread_id": "2312", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002b4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 46 } ], "threads": [ "1780", "3240", "3428", "2440", "3160", "3816", "2684", "2312" ], "environ": { "UserName": "￑￈￑ᅭᅤᅩ￀", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff630560000", "MainExeSize": "0x00010000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } } ], "anomaly": [], "processtree": [ { "name": "explorer.exe", "pid": 2552, "parent_id": 2516, "module_path": "C:\\Windows\\explorer.exe", "children": [], "threads": [ "560", "2744", "2824", "2768", "2800", "2276", "2996", "2624", "4032", "3512", "2840", "1856" ], "environ": { "UserName": "Admin", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "C:\\Windows\\Explorer.EXE", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff735ff0000", "MainExeSize": "0x00546000", "Bitness": "64-bit" } }, { "name": "PoliceAssist.exe", "pid": 1324, "parent_id": 1800, "module_path": "C:\\Temp\\PoliceAssist.exe", "children": [], "threads": [ "1884", "1652", "1680", "1688", "2196", "3064", "4092", "3612", "1808", "3316", "3844" ], "environ": { "UserName": "Admin", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "\"C:\\Temp\\PoliceAssist.exe\" ", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x140000000", "MainExeSize": "0x0013a000", "Bitness": "64-bit" } }, { "name": "svchost.exe", "pid": 740, "parent_id": 600, "module_path": "C:\\Windows\\System32\\svchost.exe", "children": [ { "name": "WmiPrvSE.exe", "pid": 4036, "parent_id": 740, "module_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "children": [], "threads": [ "3552", "1460", "2132", "2188", "3852", "2128" ], "environ": { "UserName": "HOME-PC$", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff7ccd30000", "MainExeSize": "0x0007e000", "Bitness": "64-bit" } } ], "threads": [ "632", "872", "3840", "3452", "912" ], "environ": { "UserName": "￑￈￑ᅭᅤᅩ￀", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff630560000", "MainExeSize": "0x00010000", "Bitness": "64-bit" } }, { "name": "svchost.exe", "pid": 1756, "parent_id": 600, "module_path": "C:\\Windows\\System32\\svchost.exe", "children": [], "threads": [ "1780", "3240", "3428", "2440", "3160", "3816", "2684", "2312" ], "environ": { "UserName": "￑￈￑ᅭᅤᅩ￀", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff630560000", "MainExeSize": "0x00010000", "Bitness": "64-bit" } } ], "summary": { "files": [ "\\Device\\Bam", "C:\\", "C:\\Temp", "C:\\Temp\\PoliceAssist.exe", "C:\\Temp\\policeassist.exe", "C:\\SystemResources\\policeassist.exe.mun", "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Explorer", "C:\\Windows\\WindowsShell.Manifest", "C:\\Windows\\System32\\kernel.appcore.dll", "\\Device\\CNG", "C:\\Windows\\Fonts\\staticcache.dat", "C:\\Temp\\TextShaping.dll", "C:\\Windows\\System32\\TextShaping.dll", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls", "C:\\Windows\\System32\\uxtheme.dll.Config", "C:\\Windows\\System32\\uxtheme.dll", "C:\\Windows\\System32\\windows.storage.dll", "C:\\Temp\\Wldp.dll", "C:\\Windows\\System32\\wldp.dll", "C:\\Windows\\System32\\sxs.dll", "C:\\Windows\\System32\\wbem\\wbemdisp.tlb", "C:\\Windows\\System32\\C_1252.NLS", "C:\\Windows\\System32\\stdole2.tlb", "C:\\Windows\\System32\\winhttp.dll", "C:\\Windows\\System32\\ru-RU\\mswsock.dll.mui", "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui", "C:\\Temp\\ncrypt.dll", "C:\\Windows\\System32\\ncrypt.dll", "C:\\Windows\\System32\\ci.dll", "C:\\Windows\\System32\\dnsapi.dll", "C:\\Windows\\System32\\wuaueng.dll", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "C:\\Windows\\System32\\NgcRecovery.dll", "C:\\Windows\\System32\\ru-RU\\CRYPT32.dll.mui", "\\??\\PhysicalDrive0", "C:\\Windows\\SystemResources\\USER32.dll.mun", "C:\\Windows\\System32\\ru-RU\\USER32.dll.mui", "C:\\Windows\\System32\\rpcss.dll", "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM", "C:\\Windows\\System32\\winbrand.dll", "C:\\Windows\\Branding\\Basebrd\\basebrd.dll", "C:\\Windows\\Branding\\Basebrd\\ru-RU\\Basebrd.dll.mui", "C:", "C:\\Windows\\System32\\secur32.dll", "C:\\Windows\\System32\\tzres.dll", "C:\\Windows\\System32\\ru-RU\\tzres.dll.mui", "C:\\Windows\\System32\\samcli.dll", "C:\\Windows\\System32\\srvcli.dll", "C:\\Windows\\System32\\netutils.dll", "C:\\Windows\\System32\\logoncli.dll", "C:\\Windows\\System32\\schedcli.dll", "C:\\Windows\\System32\\wkscli.dll", "C:\\Windows\\System32\\dsrole.dll", "\\??\\PIPE\\wkssvc", "\\??\\PIPE\\srvsvc", "C:\\Windows\\System32\\wbem\\ru-RU\\cimwin32.dll.mui" ], "read_files": [], "write_files": [ "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM", "\\??\\PIPE\\wkssvc", "\\??\\PIPE\\srvsvc" ], "delete_files": [], "keys": [ "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration", "HKEY_CURRENT_USER", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe UI", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru-RU", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\PoliceAssist.exe", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PropertyBag", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444B-8957-A3773F02200E}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PropertyBag", "HKEY_LOCAL_MACHINE\\Software\\Classes\\PackagedCom", "HKEY_CURRENT_USER\\Software\\Classes", "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\419", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\19", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64", "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64\\(Default)", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Codepage", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\1252", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Elevation", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64", "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\WinHttp.WinHttpRequest.5.1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2087C2F4-2CEF-4953-A8AB-66779B670495}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TenantRestrictions\\Payload", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DNS", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryAdapterName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableAdapterDomainName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseDomainNameDevolution", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\UseDomainNameDevolution", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DomainNameDevolutionLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\PrioritizeRecordData", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AllowUnqualifiedQuery", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\AllowUnqualifiedQuery", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AppendToMultiLabelName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenBadTlds", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenUnreachableServers", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenDefaultServers", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DynamicServerQueryOrder", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\FilterClusterIp", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\WaitForNameErrorOnAll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseEdns", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableDAForAllNetworks", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DirectAccessQueryOrder", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryIpMatching", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseHostsFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AddrConfigControl", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableSmartNameResolution", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\PreferLocalOverLowerBindingDNS", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryNetBTFQDN", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableSmartProtocolReordering", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UdpRecvBufferSize", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableParallelAandAAAA", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableCoalescing", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\FilterVPNTrigger", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMultiHomedRouteConflicts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ForceQueriesOverTcp", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ShareTcpConnections", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationEnabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableDynamicUpdate", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegisterPrimaryName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegisterAdapterName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\EnableAdapterDomainNameRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegisterReverseLookup", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableReverseAddressRegistrations", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegisterWanAdapters", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableWanDynamicUpdate", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationTtl", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DefaultRegistrationTTL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationRefreshInterval", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationMaxAddressCount", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UpdateSecurityLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\UpdateSecurityLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationOverwrite", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCacheSize", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCacheTtl", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxNegativeCacheTtl", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AdapterTimeoutLimit", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ServerPriorityTimeLimit", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCachedSockets", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableServerUnreachability", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMulticast", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastResponderFlags", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastSenderFlags", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMDNS", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsTest", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseCompartments", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\CacheAllCompartments", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseNewRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ResolverRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ResolverRegistrationOnly", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\NewDhcpSrvRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DirectAccessPreferLocal", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableIdnEncoding", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableIdnMapping", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ShortnameProxyDefault", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableNRPTForAdapterRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\TestMode_AdaptiveTimeoutHistoryLength", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\TestMode_AdaptiveTimeoutRecalculationInterval", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsQueryTimeouts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DnsQueryTimeouts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Domain", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\Schannel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SCHANNEL\\UserContextLockCount", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SCHANNEL\\UserContextListCount", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7\\Name", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-100", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-101", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\dnsapi.dll,-103", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\wuaueng.dll,-400", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\NgcRecovery.dll,-100", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Cryptography\\ECCParameters", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagMatchAnyMask", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableSerialChain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\DisallowedCertSyncDeltaTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\#16", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\Ldap", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllOpenStoreProv", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\Root\\PhysicalStores", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\Root", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\Root\\PhysicalStores", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\Root", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\SmartCardRoot", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\CA\\PhysicalStores", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\CA", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\CA\\PhysicalStores", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\CA", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableAutoFlushProcessNameList", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlushFirstDeltaSeconds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlushNextDeltaSeconds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\CA", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C\\Blob", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllVerifyCertificateChainPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllVerifyCertificateChainPolicy", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\PinRulesLogDir", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\PinRules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesLastSyncTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesEncodedCtl" ], "read_keys": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru-RU", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\1252", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\AppID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryAdapterName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableAdapterDomainName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseDomainNameDevolution", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\UseDomainNameDevolution", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DomainNameDevolutionLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\PrioritizeRecordData", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AllowUnqualifiedQuery", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\AllowUnqualifiedQuery", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AppendToMultiLabelName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenBadTlds", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenUnreachableServers", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenDefaultServers", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DynamicServerQueryOrder", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\FilterClusterIp", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\WaitForNameErrorOnAll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseEdns", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableDAForAllNetworks", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DirectAccessQueryOrder", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryIpMatching", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseHostsFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AddrConfigControl", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableSmartNameResolution", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\PreferLocalOverLowerBindingDNS", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryNetBTFQDN", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableSmartProtocolReordering", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UdpRecvBufferSize", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableParallelAandAAAA", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableCoalescing", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\FilterVPNTrigger", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMultiHomedRouteConflicts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ForceQueriesOverTcp", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ShareTcpConnections", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationEnabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableDynamicUpdate", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegisterPrimaryName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegisterAdapterName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\EnableAdapterDomainNameRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegisterReverseLookup", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableReverseAddressRegistrations", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegisterWanAdapters", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableWanDynamicUpdate", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationTtl", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DefaultRegistrationTTL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationRefreshInterval", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationMaxAddressCount", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UpdateSecurityLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\UpdateSecurityLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationOverwrite", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCacheSize", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCacheTtl", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxNegativeCacheTtl", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AdapterTimeoutLimit", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ServerPriorityTimeLimit", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCachedSockets", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableServerUnreachability", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMulticast", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastResponderFlags", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastSenderFlags", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMDNS", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsTest", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseCompartments", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\CacheAllCompartments", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseNewRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ResolverRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ResolverRegistrationOnly", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\NewDhcpSrvRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DirectAccessPreferLocal", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableIdnEncoding", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableIdnMapping", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ShortnameProxyDefault", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableNRPTForAdapterRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\TestMode_AdaptiveTimeoutHistoryLength", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\TestMode_AdaptiveTimeoutRecalculationInterval", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsQueryTimeouts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DnsQueryTimeouts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Domain", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SCHANNEL\\UserContextLockCount", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SCHANNEL\\UserContextListCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7\\Name", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-100", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-101", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\dnsapi.dll,-103", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\wuaueng.dll,-400", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\NgcRecovery.dll,-100", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagMatchAnyMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableSerialChain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\DisallowedCertSyncDeltaTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableAutoFlushProcessNameList", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlushFirstDeltaSeconds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlushNextDeltaSeconds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C\\Blob", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\PinRulesLogDir", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\PinRules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesLastSyncTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesEncodedCtl" ], "write_keys": [], "delete_keys": [], "executed_commands": [ "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" ], "resolved_apis": [ "ntdll.dll.RtlWow64GetCurrentMachine", "ntdll.dll.RtlWow64IsWowGuestMachineSupported" ], "mutexes": [ "Local\\SM0:1324:304:WilStaging_02", "AHK Keybd", "AHK Mouse" ], "created_services": [], "started_services": [] }, "enhanced": [ { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:22,014", "eid": 1, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:22,014", "eid": 2, "data": { "file": "C:\\Windows\\System32\\rsaenh.dll", "pathtofile": null, "moduleaddress": "0x7ffedfb90000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:24,124", "eid": 3, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,983", "eid": 4, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,983", "eid": 5, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,983", "eid": 6, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,999", "eid": 7, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:30,014", "eid": 8, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:30,030", "eid": 9, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:30,045", "eid": 10, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:30,061", "eid": 11, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:30,077", "eid": 12, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:30,092", "eid": 13, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:30,108", "eid": 14, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:30,124", "eid": 15, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:30,139", "eid": 16, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:30,155", "eid": 17, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:30,170", "eid": 18, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:30,186", "eid": 19, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:30,608", "eid": 20, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:30,608", "eid": 21, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:30,608", "eid": 22, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:43:31,264", "eid": 23, "data": { "file": "C:\\Windows\\System32\\Windows.CloudStore.Schema.Shell.dll", "pathtofile": null, "moduleaddress": "0x7ffece180000" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,682", "eid": 24, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,682", "eid": 25, "data": { "file": "LPK", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,682", "eid": 26, "data": { "file": "GDI32", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,729", "eid": 27, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,729", "eid": 28, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,729", "eid": 29, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,729", "eid": 30, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,729", "eid": 31, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,729", "eid": 32, "data": { "file": "C:\\Windows\\System32\\uxtheme.dll", "pathtofile": null, "moduleaddress": "0x7ffede5b0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,729", "eid": 33, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,729", "eid": 34, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "content": "1" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,745", "eid": 35, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,745", "eid": 36, "data": { "file": "user32", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,745", "eid": 37, "data": { "file": "user32", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,745", "eid": 38, "data": { "file": "user32", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,745", "eid": 39, "data": { "file": "kernel32", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,745", "eid": 40, "data": { "file": "comctl32", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,745", "eid": 41, "data": { "file": "gdi32", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2025-11-19 20:41:21,745", "eid": 42, "data": { "classname": "AutoHotkey", "windowname": "C:\\Temp\\PoliceAssist.exe" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,745", "eid": 43, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,745", "eid": 44, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,745", "eid": 45, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,745", "eid": 46, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,760", "eid": 47, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,760", "eid": 48, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,776", "eid": 49, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,776", "eid": 50, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath", "content": "C:\\Windows\\Fonts\\staticcache.dat" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,791", "eid": 51, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,791", "eid": 52, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2", "content": "SimSun-ExtB" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,791", "eid": 53, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,791", "eid": 54, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,791", "eid": 55, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,791", "eid": 56, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,791", "eid": 57, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,791", "eid": 58, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,791", "eid": 59, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,791", "eid": 60, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,791", "eid": 61, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,791", "eid": 62, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,791", "eid": 63, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,791", "eid": 64, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,791", "eid": 65, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,791", "eid": 66, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,791", "eid": 67, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffecf5a0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,791", "eid": 68, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,807", "eid": 69, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "content": "kernel32.dll" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,807", "eid": 70, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x7ffee1660000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,807", "eid": 71, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,807", "eid": 72, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru-RU", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,807", "eid": 73, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru", "content": "{0000004A-57EE-1E5C-00B4-D0000BB1E11E}" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,807", "eid": 74, "data": { "file": "user32", "pathtofile": null, "moduleaddress": "0x7ffee1f70000" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,807", "eid": 75, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,807", "eid": 76, "data": { "file": "comctl32", "pathtofile": null, "moduleaddress": "0x7ffecf5a0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,807", "eid": 77, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2025-11-19 20:41:21,823", "eid": 78, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,838", "eid": 79, "data": { "file": "api-ms-win-eventing-provider-l1-1-0.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,854", "eid": 80, "data": { "file": "api-ms-win-core-synch-l1-2-0.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,854", "eid": 81, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 82, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 83, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name", "content": "ProgramFilesX86" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 84, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 85, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 86, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 87, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 88, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 89, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21817" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 90, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 91, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 92, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 93, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 94, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 95, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 96, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 97, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 98, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 99, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 100, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 101, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 102, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 103, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)", "content": "C:\\Program Files (x86)" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 104, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 105, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Name", "content": "ProgramFilesX64" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 106, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 107, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 108, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 109, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 110, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 111, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 112, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 113, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 114, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 115, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 116, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 117, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 118, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 119, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 120, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 121, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 122, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 123, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 124, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,854", "eid": 125, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir", "content": "C:\\Program Files" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 126, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 127, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name", "content": "SystemX86" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 128, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 129, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 130, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 131, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 132, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 133, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 134, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 135, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 136, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 137, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 138, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 139, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 140, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 141, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 142, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 143, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 144, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 145, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 146, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:21,870", "eid": 147, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 148, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 149, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Name", "content": "System" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 150, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 151, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 152, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 153, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 154, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 155, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 156, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 157, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 158, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 159, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 160, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 161, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 162, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 163, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 164, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 165, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 166, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 167, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 168, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 169, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 170, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name", "content": "Windows" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 171, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 172, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 173, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 174, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 175, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 176, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 177, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 178, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 179, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 180, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 181, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 182, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 183, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 184, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 185, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 186, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 187, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 188, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:21,870", "eid": 189, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:24,135", "eid": 190, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "content": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2025-11-19 20:41:24,151", "eid": 191, "data": { "classname": "#32771", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:25,166", "eid": 192, "data": { "file": "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffee1090000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:25,166", "eid": 193, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.dll", "pathtofile": null, "moduleaddress": "0x7ffed9590000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:25,166", "eid": 194, "data": { "file": "C:\\Windows\\System32\\advapi32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2b50000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:25,182", "eid": 195, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemprox.dll", "pathtofile": null, "moduleaddress": "0x7ffedc220000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:25,182", "eid": 196, "data": { "file": "C:\\Windows\\System32\\wbem\\wmiutils.dll", "pathtofile": null, "moduleaddress": "0x7ffed9560000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:25,229", "eid": 197, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemsvc.dll", "pathtofile": null, "moduleaddress": "0x7ffedb270000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:25,245", "eid": 198, "data": { "file": "api-ms-win-core-localization-l1-2-0.dll", "pathtofile": null, "moduleaddress": "0x7ffee1090000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:25,245", "eid": 199, "data": { "file": "api-ms-win-core-localization-obsolete-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffee1090000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:25,432", "eid": 200, "data": { "file": "C:\\Windows\\System32\\wbem\\fastprox.dll", "pathtofile": null, "moduleaddress": "0x7ffed3fc0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:25,432", "eid": 201, "data": { "file": "amsi.dll", "pathtofile": null, "moduleaddress": "0x7ffede1c0000" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,463", "eid": 202, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64\\(Default)", "content": "C:\\Windows\\System32\\wbem\\wbemdisp.TLB" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:25,463", "eid": 203, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:25,463", "eid": 204, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:25,479", "eid": 205, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,479", "eid": 206, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\1252", "content": "c_1252.nls" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:25,479", "eid": 207, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:25,479", "eid": 208, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:25,479", "eid": 209, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:25,495", "eid": 210, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:25,495", "eid": 211, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:25,495", "eid": 212, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:25,495", "eid": 213, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,510", "eid": 214, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,510", "eid": 215, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,510", "eid": 216, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)", "content": "{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,510", "eid": 217, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,510", "eid": 218, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,510", "eid": 219, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "content": "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,510", "eid": 220, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,510", "eid": 221, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,510", "eid": 222, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "content": "%systemroot%\\system32\\wbem\\fastprox.dll" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,510", "eid": 223, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,510", "eid": 224, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,510", "eid": 225, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,510", "eid": 226, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "content": "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,510", "eid": 227, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,510", "eid": 228, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,510", "eid": 229, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "content": "%systemroot%\\system32\\wbem\\fastprox.dll" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,510", "eid": 230, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,526", "eid": 231, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\AppID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,526", "eid": 232, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)", "content": "{7C857801-7381-11CF-884D-00AA004B2E24}" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,526", "eid": 233, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)", "content": "{7C857801-7381-11CF-884D-00AA004B2E24}" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:25,526", "eid": 234, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64\\(Default)", "content": "C:\\Windows\\System32\\wbem\\wbemdisp.TLB" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,463", "eid": 235, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64\\(Default)", "content": "C:\\Windows\\System32\\wbem\\wbemdisp.TLB" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,463", "eid": 236, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)", "content": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:29,463", "eid": 237, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:29,479", "eid": 238, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:29,479", "eid": 239, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:29,479", "eid": 240, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:29,479", "eid": 241, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:29,479", "eid": 242, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:29,495", "eid": 243, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:29,495", "eid": 244, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:29,495", "eid": 245, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:29,495", "eid": 246, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-19 20:41:29,510", "eid": 247, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,510", "eid": 248, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID\\(Default)", "content": "{2087c2f4-2cef-4953-a8ab-66779b670495}" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,510", "eid": 249, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID\\(Default)", "content": "{2087c2f4-2cef-4953-a8ab-66779b670495}" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,510", "eid": 250, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,510", "eid": 251, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,510", "eid": 252, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\(Default)", "content": "WinHttpRequest Component version 5.1" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,510", "eid": 253, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,510", "eid": 254, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,510", "eid": 255, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\winhttpcom.dll" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,510", "eid": 256, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\ThreadingModel", "content": "Apartment" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,526", "eid": 257, "data": { "file": "C:\\Windows\\System32\\winhttpcom.dll", "pathtofile": null, "moduleaddress": "0x7ffed5f30000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,541", "eid": 258, "data": { "file": "winhttp.dll", "pathtofile": null, "moduleaddress": "0x7ffed8a20000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,541", "eid": 259, "data": { "file": "C:\\Windows\\System32\\OnDemandConnRouteHelper.dll", "pathtofile": null, "moduleaddress": "0x7ffecb2e0000" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,541", "eid": 260, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TenantRestrictions\\Payload" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,541", "eid": 261, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TenantRestrictions\\Payload" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,557", "eid": 262, "data": { "file": "C:\\Windows\\System32\\mswsock.dll", "pathtofile": null, "moduleaddress": "0x7ffee0260000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,573", "eid": 263, "data": { "file": "C:\\Windows\\System32\\mswsock.dll", "pathtofile": null, "moduleaddress": "0x7ffee0260000" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 264, "data": { "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 265, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryAdapterName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 266, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableAdapterDomainName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 267, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseDomainNameDevolution", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 268, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\UseDomainNameDevolution", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 269, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DomainNameDevolutionLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 270, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\PrioritizeRecordData", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 271, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AllowUnqualifiedQuery", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 272, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\AllowUnqualifiedQuery", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 273, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AppendToMultiLabelName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 274, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenBadTlds", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 275, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenUnreachableServers", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 276, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenDefaultServers", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 277, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DynamicServerQueryOrder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 278, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\FilterClusterIp", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 279, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\WaitForNameErrorOnAll", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 280, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseEdns", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 281, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 282, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableDAForAllNetworks", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 283, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DirectAccessQueryOrder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 284, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryIpMatching", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 285, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseHostsFile", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 286, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AddrConfigControl", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 287, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableSmartNameResolution", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 288, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\PreferLocalOverLowerBindingDNS", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 289, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryNetBTFQDN", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 290, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableSmartProtocolReordering", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 291, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UdpRecvBufferSize", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 292, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableParallelAandAAAA", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 293, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableCoalescing", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 294, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\FilterVPNTrigger", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 295, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMultiHomedRouteConflicts", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 296, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ForceQueriesOverTcp", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 297, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ShareTcpConnections", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 298, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationEnabled", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 299, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableDynamicUpdate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 300, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegisterPrimaryName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 301, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegisterAdapterName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 302, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\EnableAdapterDomainNameRegistration", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 303, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegisterReverseLookup", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 304, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableReverseAddressRegistrations", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 305, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegisterWanAdapters", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 306, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableWanDynamicUpdate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 307, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationTtl", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 308, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DefaultRegistrationTTL", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 309, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationRefreshInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 310, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 311, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationMaxAddressCount", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 312, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 313, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UpdateSecurityLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 314, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\UpdateSecurityLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 315, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 316, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 317, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationOverwrite", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 318, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCacheSize", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 319, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCacheTtl", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 320, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxNegativeCacheTtl", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 321, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AdapterTimeoutLimit", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 322, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ServerPriorityTimeLimit", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 323, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCachedSockets", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 324, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableServerUnreachability", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 325, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMulticast", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 326, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastResponderFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 327, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastSenderFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 328, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 329, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMDNS", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 330, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsTest", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 331, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseCompartments", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 332, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\CacheAllCompartments", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 333, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseNewRegistration", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 334, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ResolverRegistration", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 335, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ResolverRegistrationOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 336, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\NewDhcpSrvRegistration", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 337, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DirectAccessPreferLocal", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 338, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableIdnEncoding", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 339, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableIdnMapping", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 340, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ShortnameProxyDefault", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 341, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableNRPTForAdapterRegistration", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 342, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\TestMode_AdaptiveTimeoutHistoryLength", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 343, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\TestMode_AdaptiveTimeoutRecalculationInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 344, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsQueryTimeouts", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 345, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DnsQueryTimeouts", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 346, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 347, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts", "content": null } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 348, "data": { "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 349, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 350, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname", "content": "HOME-PC" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 351, "data": { "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 352, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Domain", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 353, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Domain", "content": "" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 354, "data": { "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 355, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,588", "eid": 356, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname", "content": "HOME-PC" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,604", "eid": 357, "data": { "file": "C:\\Windows\\System32\\FWPUCLNT.DLL", "pathtofile": null, "moduleaddress": "0x7ffed8cb0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,604", "eid": 358, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,604", "eid": 359, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,604", "eid": 360, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,604", "eid": 361, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,604", "eid": 362, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,604", "eid": 363, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,620", "eid": 364, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,651", "eid": 365, "data": { "file": "C:\\Windows\\System32\\schannel.dll", "pathtofile": null, "moduleaddress": "0x7ffedfaa0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,651", "eid": 366, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,651", "eid": 367, "data": { "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\Schannel" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,651", "eid": 368, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SCHANNEL\\UserContextLockCount", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,651", "eid": 369, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SCHANNEL\\UserContextListCount", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,776", "eid": 370, "data": { "file": "sspicli.dll", "pathtofile": null, "moduleaddress": "0x7ffee0a40000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,776", "eid": 371, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,776", "eid": 372, "data": { "file": "mskeyprotect.dll", "pathtofile": null, "moduleaddress": "0x7ffecb060000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,776", "eid": 373, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,791", "eid": 374, "data": { "file": "C:\\Windows\\System32\\ncryptsslp.dll", "pathtofile": null, "moduleaddress": "0x7ffecb1a0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,791", "eid": 375, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,791", "eid": 376, "data": { "file": "C:\\Windows\\System32\\bcryptprimitives.dll", "pathtofile": null, "moduleaddress": "0x7ffee1390000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,791", "eid": 377, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 378, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7\\Name", "content": "@%SystemRoot%\\System32\\ci.dll,-100" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 379, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 380, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-100", "content": "Isolated User Mode (IUM)" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 381, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7\\Name", "content": "@%SystemRoot%\\System32\\ci.dll,-100" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 382, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 383, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-100", "content": "Isolated User Mode (IUM)" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 384, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7\\Name", "content": "@%SystemRoot%\\System32\\ci.dll,-101" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 385, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 386, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-101", "content": "Enclave" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 387, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7\\Name", "content": "@%SystemRoot%\\System32\\ci.dll,-101" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 388, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 389, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-101", "content": "Enclave" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 390, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name", "content": "@%SystemRoot%\\system32\\dnsapi.dll,-103" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 391, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 392, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\dnsapi.dll,-103", "content": "\\x414\\x43e\\x432\\x435\\x440\\x435\\x43d\\x43d\\x44b\\x439 DNS-\\x441\\x435\\x440\\x432\\x435\\x440" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 393, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name", "content": "@%SystemRoot%\\system32\\dnsapi.dll,-103" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 394, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 395, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\dnsapi.dll,-103", "content": "\\x414\\x43e\\x432\\x435\\x440\\x435\\x43d\\x43d\\x44b\\x439 DNS-\\x441\\x435\\x440\\x432\\x435\\x440" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 396, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7\\Name", "content": "@%SystemRoot%\\System32\\wuaueng.dll,-400" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 397, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 398, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\wuaueng.dll,-400", "content": "\\x426\\x435\\x43d\\x442\\x440 \\x43e\\x431\\x43d\\x43e\\x432\\x43b\\x435\\x43d\\x438\\x44f Windows" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 399, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7\\Name", "content": "@%SystemRoot%\\System32\\wuaueng.dll,-400" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 400, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 401, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\wuaueng.dll,-400", "content": "\\x426\\x435\\x43d\\x442\\x440 \\x43e\\x431\\x43d\\x43e\\x432\\x43b\\x435\\x43d\\x438\\x44f Windows" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 402, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7\\Name", "content": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 403, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 404, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124", "content": "\\x428\\x438\\x444\\x440\\x43e\\x432\\x430\\x43d\\x438\\x435 \\x434\\x43e\\x43a\\x443\\x43c\\x435\\x43d\\x442\\x43e\\x432" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 405, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7\\Name", "content": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 406, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,807", "eid": 407, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124", "content": "\\x428\\x438\\x444\\x440\\x43e\\x432\\x430\\x43d\\x438\\x435 \\x434\\x43e\\x43a\\x443\\x43c\\x435\\x43d\\x442\\x43e\\x432" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,823", "eid": 408, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7\\Name", "content": "@%SystemRoot%\\system32\\NgcRecovery.dll,-100" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,823", "eid": 409, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,823", "eid": 410, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\NgcRecovery.dll,-100", "content": "\\x428\\x438\\x444\\x440\\x43e\\x432\\x430\\x43d\\x438\\x435 \\x43a\\x43b\\x44e\\x447\\x430 \\x432\\x43e\\x441\\x441\\x442\\x430\\x43d\\x43e\\x432\\x43b\\x435\\x43d\\x438\\x44f Windows Hello" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,823", "eid": 411, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7\\Name", "content": "@%SystemRoot%\\system32\\NgcRecovery.dll,-100" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,823", "eid": 412, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,823", "eid": 413, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\NgcRecovery.dll,-100", "content": "\\x428\\x438\\x444\\x440\\x43e\\x432\\x430\\x43d\\x438\\x435 \\x43a\\x43b\\x44e\\x447\\x430 \\x432\\x43e\\x441\\x441\\x442\\x430\\x43d\\x43e\\x432\\x43b\\x435\\x43d\\x438\\x44f Windows Hello" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,823", "eid": 414, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,823", "eid": 415, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagMatchAnyMask", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,823", "eid": 416, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableSerialChain", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,823", "eid": 417, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,823", "eid": 418, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,823", "eid": 419, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\DisallowedCertSyncDeltaTime", "content": null } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,823", "eid": 420, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\Root" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,823", "eid": 421, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\Root" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 422, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 423, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\Root" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 424, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\Root" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 425, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\SmartCardRoot" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 426, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\CA" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 427, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\CA" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 428, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\CA" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 429, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\CA" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 430, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 431, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableAutoFlushProcessNameList", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 432, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlushFirstDeltaSeconds", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 433, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlushNextDeltaSeconds", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 434, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 435, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "content": null } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 436, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 437, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 438, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 439, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "content": null } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 440, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\CA" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 441, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 442, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 443, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 444, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "content": null } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 445, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 446, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 447, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 448, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "content": null } }, { "event": "write", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 449, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\CA" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 450, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 451, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 452, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 453, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 454, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C\\Blob", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 455, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C\\Blob", "content": "\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\xb1\\xbc\\x96\\x8b\\xd4\\xf4\\x9db*\\xa8\\x9a\\x81\\xf2\\x15\\x01R\\xa4\\x1d\\x82\\x9c~\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x04+\\xebw\\xd5\\x01z\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x000\n\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\t\\x7f\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x000\n\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\t\\x1d\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00n\\xe7\\xf3\\xb0`\\xd1\\x0e\\x90\\xa3\\x1b\\xa3G\\x1b\\x99\\x926\\x14\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x14\\x00\\x00\\x00`{f\\x1aE\r\\x97\\xca\\x89P/}\\x04\\xcd4\\xa8\\xff\\xfc\\xfdKb\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\xeb\\xd4\\x10@\\xe4\\xbb>\\xc7B\\xc9\\xe3\\x81\\xd3\\x1e\\xf2\\xa4\\x1aH\\xb6h\\\\x96\\xe7\\xce\\xf3\\xc1\\xdfl\\xd43\\x1c\\x99\\x0b\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\x00\\x00\\x00G\\x00l\\x00o\\x00b\\x00a\\x00l\\x00S\\x00i\\x00g\\x00n\\x00 \\x00R\\x00o\\x00o\\x00t\\x00 \\x00C\\x00A\\x00 \\x00-\\x00 \\x00R\\x001\\x00\\x00\\x00S\\x00\\x00\\x00\\x01\\x00\\x00\\x00@\\x00\\x00\\x000>0\\x1f\\x06\t+\\x06\\x01\\x04\\x01\\xa02\\x01\\x010\\x120\\x10\\x06\n+\\x06\\x01\\x04\\x01\\x827<\\x01\\x01\\x03\\x02\\x00\\xc00\\x1b\\x06\\x05g\\x81\\x0c\\x01\\x030\\x120\\x10\\x06\n+\\x06\\x01\\x04\\x01\\x827<\\x01\\x01\\x03\\x02\\x00\\xc0\t\\x00\\x00\\x00\\x01\\x00\\x00\\x00h\\x00\\x00\\x000f\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x02\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x03\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03\\x04\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x04\\x06\\x08+\\x06\\x01\\x05\\x05\\x08\\x02\\x02\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x06\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x07\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\t\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x01\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x08 \\x00\\x00\\x00\\x01\\x00\\x00\\x00y\\x03\\x00\\x000\\x82\\x03u0\\x82\\x02]\\xa0\\x03\\x02\\x01\\x02\\x02\\x0b\\x04\\x00\\x00\\x00\\x00\\x01\\x15KZ\\xc3\\x940\r\\x06\t*\\x86H\\x86\\xf7\r\\x01\\x01\\x05\\x05\\x000W1" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 456, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\PinRulesLogDir", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 457, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\PinRules", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 458, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesLastSyncTime", "content": "\\xaf\\xa4!\\x93\\xa7Y\\xdc\\x01" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 459, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesEncodedCtl", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:41:29,838", "eid": 460, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesEncodedCtl", "content": "0\\x82E\\x94\\x06\t*\\x86H\\x86\\xf7\r\\x01\\x07\\x02\\xa0\\x82E\\x850\\x82E\\x81\\x02\\x01\\x011\\x0b0\t\\x06\\x05+\\x0e\\x03\\x02\\x1a\\x05\\x000\\x82'\\xee\\x06\t+\\x06\\x01\\x04\\x01\\x827\n\\x01\\xa0\\x82'\\xdf0\\x82'\\xdb0\\x0c\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03 \\x04,P\\x00i\\x00n\\x00R\\x00u\\x00l\\x00e\\x00s\\x00_\\x00A\\x00u\\x00t\\x00o\\x00U\\x00p\\x00d\\x00a\\x00t\\x00e\\x00_\\x001\\x00\\x00\\x00\\x02\\x08\\x01\\xd2\\xdae\\xad\\xdb@7\\x17\r170531232859Z\\x17\r180601232859Z0\\x0e\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03\"\\x05\\x000\\x82\\x1f\\xa30)\\x04\\x12.files-df.1drv.com1\\x130\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000&\\x04\\x0f.files.1drv.com1\\x130\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x0004\\x04\n.aadrm.com1&0\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x031\\x03\\x02\\x01\\x0101\\x04\\x07.afx.ms1&0\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x031\\x03\\x02\\x01\\x0105\\x04\\x0b.akadns.net1&0\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x031\\x03\\x02\\x01\\x010%\\x04\\x0e.aspnetcdn.com1\\x130\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x0008\\x04\\x0e.azure-int.net1&0\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000\\x11\\x06\n+\\x06\\x01\\x04\\x01" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,901", "eid": 461, "data": { "file": "C:\\Windows\\System32\\mlang.dll", "pathtofile": null, "moduleaddress": "0x7ffec5430000" } }, { "event": "findwindow", "object": "windowname", "timestamp": "2025-11-19 20:41:29,901", "eid": 462, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,932", "eid": 463, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffecf5a0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,963", "eid": 464, "data": { "file": "C:\\Windows\\System32\\msctf.dll", "pathtofile": null, "moduleaddress": "0x7ffee21a0000" } }, { "event": "execute", "object": "file", "timestamp": "2025-11-19 20:41:27,120", "eid": 465, "data": { "file": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,995", "eid": 466, "data": { "file": "C:\\Windows\\System32\\rsaenh.dll", "pathtofile": null, "moduleaddress": "0x7ffedfb90000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:27,180", "eid": 467, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x7ffee1660000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,289", "eid": 468, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemprox.dll", "pathtofile": null, "moduleaddress": "0x7ffedc220000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,289", "eid": 469, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemsvc.dll", "pathtofile": null, "moduleaddress": "0x7ffedb270000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,305", "eid": 470, "data": { "file": "C:\\Windows\\System32\\wbem\\fastprox.dll", "pathtofile": null, "moduleaddress": "0x7ffed3fc0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,305", "eid": 471, "data": { "file": "C:\\Windows\\System32\\wbem\\wmiutils.dll", "pathtofile": null, "moduleaddress": "0x7ffed9560000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,336", "eid": 472, "data": { "file": "C:\\Windows\\System32\\wbem\\cimwin32.dll", "pathtofile": null, "moduleaddress": "0x7ffeca0f0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,352", "eid": 473, "data": { "file": "wldp.dll", "pathtofile": null, "moduleaddress": "0x7ffee0500000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,352", "eid": 474, "data": { "file": "wldp.dll", "pathtofile": null, "moduleaddress": "0x7ffee0500000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,368", "eid": 475, "data": { "file": "wldp.dll", "pathtofile": null, "moduleaddress": "0x7ffee0500000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,368", "eid": 476, "data": { "file": "wldp.dll", "pathtofile": null, "moduleaddress": "0x7ffee0500000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,368", "eid": 477, "data": { "file": "SECURITY.DLL", "pathtofile": null, "moduleaddress": "0x25e61d60000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,368", "eid": 478, "data": { "file": "C:\\Windows\\System32\\schannel.dll", "pathtofile": null, "moduleaddress": "0x7ffedfaa0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,383", "eid": 479, "data": { "file": "NTDLL.DLL", "pathtofile": null, "moduleaddress": "0x7ffee3470000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,414", "eid": 480, "data": { "file": "NETAPI32.DLL", "pathtofile": null, "moduleaddress": "0x7ffed6960000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,430", "eid": 481, "data": { "file": "wkscli.dll", "pathtofile": null, "moduleaddress": "0x7ffedfcf0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,430", "eid": 482, "data": { "file": "cscapi.dll", "pathtofile": null, "moduleaddress": "0x7ffece280000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,446", "eid": 483, "data": { "file": "KERNEL32.DLL", "pathtofile": null, "moduleaddress": "0x7ffee1660000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,446", "eid": 484, "data": { "file": "OLEAUT32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2a80000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:41:29,289", "eid": 485, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemcore.dll", "pathtofile": null, "moduleaddress": "0x7ffed40d0000" } } ], "encryptedbuffers": [ { "process_name": "PoliceAssist.exe", "pid": 1324, "api_call": "SslEncryptPacket", "buffer": "GET /raw/04TKQkE1 HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: pastebin.com", "buffer_size": "158" } ] }, "debug": { "log": "2025-11-20 02:01:41,562 [root] INFO: Date set to: 20251119T23:41:11, timeout set to: 200\n2025-11-19 23:41:11,008 [root] DEBUG: Starting analyzer from: C:\\2oozvway\n2025-11-19 23:41:11,009 [root] DEBUG: Storing results at: C:\\xVgYcbaMe\n2025-11-19 23:41:11,009 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\atJNpNkCXZ\n2025-11-19 23:41:11,009 [root] DEBUG: Python path: C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32\n2025-11-19 23:41:11,010 [root] INFO: analysis running as an admin\n2025-11-19 23:41:11,010 [root] INFO: analysis package specified: \"exe\"\n2025-11-19 23:41:11,010 [root] DEBUG: importing analysis package module: \"modules.packages.exe\"...\n2025-11-19 23:41:11,017 [root] DEBUG: imported analysis package \"exe\"\n2025-11-19 23:41:11,018 [root] DEBUG: initializing analysis package \"exe\"...\n2025-11-19 23:41:11,018 [lib.common.common] INFO: wrapping\n2025-11-19 23:41:11,018 [lib.core.compound] INFO: C:\\Temp already exists, skipping creation\n2025-11-19 23:41:11,019 [root] DEBUG: New location of moved file: C:\\Temp\\PoliceAssist.exe\n2025-11-19 23:41:11,019 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option\n2025-11-19 23:41:11,020 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option\n2025-11-19 23:41:11,020 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option\n2025-11-19 23:41:11,020 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option\n2025-11-19 23:41:11,041 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2025-11-19 23:41:11,051 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2025-11-19 23:41:11,073 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2025-11-19 23:41:11,101 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2025-11-19 23:41:11,108 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2025-11-19 23:41:11,176 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'\n2025-11-19 23:41:11,179 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'\n2025-11-19 23:41:11,202 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance\n2025-11-19 23:41:11,203 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2025-11-19 23:41:11,207 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2025-11-19 23:41:11,208 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2025-11-19 23:41:11,208 [root] DEBUG: attempting to configure 'Browser' from data\n2025-11-19 23:41:11,210 [root] DEBUG: module Browser does not support data configuration, ignoring\n2025-11-19 23:41:11,211 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2025-11-19 23:41:11,212 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2025-11-19 23:41:11,212 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2025-11-19 23:41:11,213 [root] DEBUG: attempting to configure 'DigiSig' from data\n2025-11-19 23:41:11,213 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2025-11-19 23:41:11,214 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2025-11-19 23:41:11,214 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2025-11-19 23:41:11,524 [modules.auxiliary.digisig] DEBUG: File is not signed\n2025-11-19 23:41:11,525 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2025-11-19 23:41:11,526 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2025-11-19 23:41:11,526 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2025-11-19 23:41:11,526 [root] DEBUG: attempting to configure 'Disguise' from data\n2025-11-19 23:41:11,527 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2025-11-19 23:41:11,527 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2025-11-19 23:41:11,528 [modules.auxiliary.disguise] INFO: Disguising GUID to 4c1605f1-0d83-4df8-9125-33039ac196e8\n2025-11-19 23:41:11,528 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2025-11-19 23:41:11,529 [root] DEBUG: Initialized auxiliary module \"Human\"\n2025-11-19 23:41:11,529 [root] DEBUG: attempting to configure 'Human' from data\n2025-11-19 23:41:11,529 [root] DEBUG: module Human does not support data configuration, ignoring\n2025-11-19 23:41:11,530 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2025-11-19 23:41:11,532 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2025-11-19 23:41:11,532 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2025-11-19 23:41:11,532 [root] DEBUG: attempting to configure 'Screenshots' from data\n2025-11-19 23:41:11,533 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2025-11-19 23:41:11,533 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2025-11-19 23:41:11,534 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2025-11-19 23:41:11,534 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2025-11-19 23:41:11,534 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2025-11-19 23:41:11,535 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2025-11-19 23:41:11,535 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2025-11-19 23:41:11,537 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 608\n2025-11-19 23:41:11,834 [lib.api.process] INFO: Monitor config for : C:\\2oozvway\\dll\\608.ini\n2025-11-19 23:41:11,836 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2025-11-19 23:41:11,837 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor\n2025-11-19 23:41:11,845 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2oozvway\\dll\\FvrgALd.dll, loader C:\\2oozvway\\bin\\alZEzoOD.exe\n2025-11-19 23:41:11,880 [root] DEBUG: Loader: Injecting process 608 with C:\\2oozvway\\dll\\FvrgALd.dll.\n2025-11-19 23:41:11,902 [root] DEBUG: 608: Python path set to 'C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32'.\n2025-11-19 23:41:11,903 [root] DEBUG: 608: Disabling sleep skipping.\n2025-11-19 23:41:11,905 [root] DEBUG: 608: Interactive desktop enabled.\n2025-11-19 23:41:11,906 [root] DEBUG: 608: TLS secret dump mode enabled.\n2025-11-19 23:41:11,944 [root] DEBUG: 608: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0\n2025-11-19 23:41:11,945 [root] DEBUG: 608: Monitor initialised: 64-bit capemon loaded in process 608 at 0x00007FFEC4670000, thread 1880, image base 0x00007FF60EE30000, stack from 0x000000A5F48F2000-0x000000A5F4900000\n2025-11-19 23:41:11,945 [root] DEBUG: 608: Commandline: C:\\Windows\\system32\\lsass.exe\n2025-11-19 23:41:11,956 [root] DEBUG: 608: Hooked 5 out of 5 functions\n2025-11-19 23:41:11,958 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2025-11-19 23:41:11,959 [root] DEBUG: Successfully injected DLL C:\\2oozvway\\dll\\FvrgALd.dll.\n2025-11-19 23:41:11,967 [lib.api.process] INFO: Injected into 64-bit \n2025-11-19 23:41:11,968 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2025-11-19 23:41:11,968 [root] INFO: Interactive mode enabled - injecting into explorer shell\n2025-11-19 23:41:11,969 [lib.api.process] INFO: Monitor config for : C:\\2oozvway\\dll\\2552.ini\n2025-11-19 23:41:11,973 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2025-11-19 23:41:11,976 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2oozvway\\dll\\FvrgALd.dll, loader C:\\2oozvway\\bin\\alZEzoOD.exe\n2025-11-19 23:41:11,990 [root] DEBUG: Loader: Injecting process 2552 with C:\\2oozvway\\dll\\FvrgALd.dll.\n2025-11-19 23:41:11,996 [root] DEBUG: 2552: Python path set to 'C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32'.\n2025-11-19 23:41:11,998 [root] DEBUG: 2552: Disabling sleep skipping.\n2025-11-19 23:41:11,999 [root] DEBUG: 2552: Interactive desktop enabled.\n2025-11-19 23:41:11,999 [root] DEBUG: 2552: Dropped file limit defaulting to 100.\n2025-11-19 23:41:12,001 [root] DEBUG: 2552: Interactive desktop - injecting Explorer Shell\n2025-11-19 23:41:12,018 [root] DEBUG: 2552: YaraInit: Compiled 43 rule files\n2025-11-19 23:41:12,021 [root] DEBUG: 2552: YaraInit: Compiled rules saved to file C:\\2oozvway\\data\\yara\\capemon.yac\n2025-11-19 23:41:12,053 [root] DEBUG: 2552: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0\n2025-11-19 23:41:12,054 [root] DEBUG: 2552: YaraScan: Scanning 0x00007FF735FF0000, size 0x545316\n2025-11-19 23:41:12,184 [root] DEBUG: 2552: Monitor initialised: 64-bit capemon loaded in process 2552 at 0x00007FFEC4670000, thread 1376, image base 0x00007FF735FF0000, stack from 0x0000000007C32000-0x0000000007C40000\n2025-11-19 23:41:12,185 [root] DEBUG: 2552: Commandline: C:\\Windows\\Explorer.EXE\n2025-11-19 23:41:12,203 [root] DEBUG: 2552: Hooked 69 out of 69 functions\n2025-11-19 23:41:12,273 [root] DEBUG: 2552: Syscall hook installed, syscall logging level 1\n2025-11-19 23:41:12,285 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2025-11-19 23:41:12,286 [root] DEBUG: Successfully injected DLL C:\\2oozvway\\dll\\FvrgALd.dll.\n2025-11-19 23:41:12,290 [lib.api.process] INFO: Injected into 64-bit \n2025-11-19 23:41:17,341 [root] INFO: Restarting WMI Service\n2025-11-19 23:41:19,447 [root] DEBUG: package modules.packages.exe does not support configure, ignoring\n2025-11-19 23:41:19,448 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'\n2025-11-19 23:41:19,449 [lib.core.compound] INFO: C:\\Temp already exists, skipping creation\n2025-11-19 23:41:19,461 [lib.api.process] INFO: Successfully executed process from path \"C:\\Temp\\PoliceAssist.exe\" with arguments \"\" with pid 1324\n2025-11-19 23:41:19,462 [lib.api.process] INFO: Monitor config for : C:\\2oozvway\\dll\\1324.ini\n2025-11-19 23:41:19,463 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2025-11-19 23:41:19,466 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2oozvway\\dll\\FvrgALd.dll, loader C:\\2oozvway\\bin\\alZEzoOD.exe\n2025-11-19 23:41:19,476 [root] DEBUG: Loader: Injecting process 1324 (thread 1884) with C:\\2oozvway\\dll\\FvrgALd.dll.\n2025-11-19 23:41:19,477 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2025-11-19 23:41:19,478 [root] DEBUG: Successfully injected DLL C:\\2oozvway\\dll\\FvrgALd.dll.\n2025-11-19 23:41:19,480 [lib.api.process] INFO: Injected into 64-bit \n2025-11-19 23:41:21,494 [lib.api.process] INFO: Successfully resumed \n2025-11-19 23:41:21,510 [root] DEBUG: 1324: Python path set to 'C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32'.\n2025-11-19 23:41:21,511 [root] DEBUG: 1324: Disabling sleep skipping.\n2025-11-19 23:41:21,513 [root] DEBUG: 1324: Interactive desktop enabled.\n2025-11-19 23:41:21,515 [root] DEBUG: 1324: Dropped file limit defaulting to 100.\n2025-11-19 23:41:21,520 [root] DEBUG: 1324: YaraInit: Compiled rules loaded from existing file C:\\2oozvway\\data\\yara\\capemon.yac\n2025-11-19 23:41:21,548 [root] DEBUG: 1324: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0\n2025-11-19 23:41:21,550 [root] DEBUG: 1324: YaraScan: Scanning 0x0000000140000000, size 0x126a57\n2025-11-19 23:41:21,568 [root] DEBUG: 1324: Monitor initialised: 64-bit capemon loaded in process 1324 at 0x00007FFEC4670000, thread 1884, image base 0x0000000140000000, stack from 0x00000000007F5000-0x0000000000800000\n2025-11-19 23:41:21,569 [root] DEBUG: 1324: Commandline: \"C:\\Temp\\PoliceAssist.exe\"\n2025-11-19 23:41:21,580 [root] DEBUG: 1324: hook_api: LdrpCallInitRoutine export address 0x00007FFEE34899BC obtained via GetFunctionAddress\n2025-11-19 23:41:21,636 [root] WARNING: b'Unable to place hook on LockResource'\n2025-11-19 23:41:21,637 [root] DEBUG: 1324: set_hooks: Unable to hook LockResource\n2025-11-19 23:41:21,650 [root] DEBUG: 1324: Hooked 619 out of 620 functions\n2025-11-19 23:41:21,671 [root] DEBUG: 1324: Syscall hook installed, syscall logging level 1\n2025-11-19 23:41:21,680 [root] DEBUG: 1324: RestoreHeaders: Restored original import table.\n2025-11-19 23:41:21,683 [root] INFO: Loaded monitor into process with pid 1324\n2025-11-19 23:41:21,702 [root] DEBUG: 1324: caller_dispatch: Added region at 0x0000000140000000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x00000001400D415D, thread 1884).\n2025-11-19 23:41:21,703 [root] DEBUG: 1324: YaraScan: Scanning 0x0000000140000000, size 0x126a57\n2025-11-19 23:41:21,725 [root] DEBUG: 1324: ProcessImageBase: Main module image at 0x0000000140000000 unmodified (entropy change 0.000000e+00)\n2025-11-19 23:41:21,733 [root] DEBUG: 1324: set_hooks_by_export_directory: Hooked 0 out of 620 functions\n2025-11-19 23:41:21,733 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDEA70000: C:\\Windows\\SYSTEM32\\kernel.appcore (0x12000 bytes).\n2025-11-19 23:41:21,736 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE1390000: C:\\Windows\\System32\\bcryptPrimitives (0x82000 bytes).\n2025-11-19 23:41:21,740 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDE5B0000: C:\\Windows\\system32\\uxtheme (0x9e000 bytes).\n2025-11-19 23:41:21,755 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE21A0000: C:\\Windows\\System32\\MSCTF (0x114000 bytes).\n2025-11-19 23:41:21,796 [root] DEBUG: 1324: DLL loaded at 0x00007FFED6980000: C:\\Windows\\SYSTEM32\\TextShaping (0xac000 bytes).\n2025-11-19 23:41:21,849 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE0500000: C:\\Windows\\SYSTEM32\\Wldp (0x2d000 bytes).\n2025-11-19 23:41:21,850 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDEC70000: C:\\Windows\\SYSTEM32\\windows.storage (0x79b000 bytes).\n2025-11-19 23:41:21,852 [root] DEBUG: 2552: YaraScan: Scanning 0x00007FF735FF0000, size 0x545316\n2025-11-19 23:41:21,855 [root] DEBUG: 2552: caller_dispatch: Added region at 0x00007FF735FF0000 to tracked regions list (combase::CoCreateInstance returns to 0x00007FF736098FBA, thread 2824).\n2025-11-19 23:41:21,856 [root] DEBUG: 2552: YaraScan: Scanning 0x00007FF735FF0000, size 0x545316\n2025-11-19 23:41:21,931 [root] DEBUG: 2552: ProcessImageBase: Main module image at 0x00007FF735FF0000 unmodified (entropy change 0.000000e+00)\n2025-11-19 23:41:21,935 [root] DEBUG: 2552: ProcessImageBase: Main module image at 0x00007FF735FF0000 unmodified (entropy change 0.000000e+00)\n2025-11-19 23:41:22,020 [lib.api.process] INFO: Monitor config for : C:\\2oozvway\\dll\\740.ini\n2025-11-19 23:41:22,022 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2025-11-19 23:41:22,024 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2oozvway\\dll\\FvrgALd.dll, loader C:\\2oozvway\\bin\\alZEzoOD.exe\n2025-11-19 23:41:22,039 [root] DEBUG: Loader: Injecting process 740 with C:\\2oozvway\\dll\\FvrgALd.dll.\n2025-11-19 23:41:22,043 [root] DEBUG: 740: Python path set to 'C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32'.\n2025-11-19 23:41:22,044 [root] DEBUG: 740: Disabling sleep skipping.\n2025-11-19 23:41:22,045 [root] DEBUG: 740: Interactive desktop enabled.\n2025-11-19 23:41:22,046 [root] DEBUG: 740: Dropped file limit defaulting to 100.\n2025-11-19 23:41:22,049 [root] DEBUG: 740: Services hook set enabled\n2025-11-19 23:41:22,053 [root] DEBUG: 740: YaraInit: Compiled rules loaded from existing file C:\\2oozvway\\data\\yara\\capemon.yac\n2025-11-19 23:41:22,080 [root] DEBUG: 740: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0\n2025-11-19 23:41:22,081 [root] DEBUG: 740: Monitor initialised: 64-bit capemon loaded in process 740 at 0x00007FFEC4670000, thread 2848, image base 0x00007FF630560000, stack from 0x000000A00AB75000-0x000000A00AB80000\n2025-11-19 23:41:22,082 [root] DEBUG: 740: Commandline: C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p\n2025-11-19 23:41:22,098 [root] DEBUG: 740: Hooked 69 out of 69 functions\n2025-11-19 23:41:22,100 [root] INFO: Loaded monitor into process with pid 740\n2025-11-19 23:41:22,101 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2025-11-19 23:41:22,102 [root] DEBUG: Successfully injected DLL C:\\2oozvway\\dll\\FvrgALd.dll.\n2025-11-19 23:41:22,105 [lib.api.process] INFO: Injected into 64-bit \n2025-11-19 23:41:25,158 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE2C20000: C:\\Windows\\System32\\clbcatq (0xa9000 bytes).\n2025-11-19 23:41:25,168 [root] DEBUG: 1324: DLL loaded at 0x00007FFED95E0000: C:\\Windows\\SYSTEM32\\wbemcomn (0x90000 bytes).\n2025-11-19 23:41:25,169 [root] DEBUG: 1324: DLL loaded at 0x00007FFED9590000: C:\\Windows\\system32\\wbem\\wbemdisp (0x4e000 bytes).\n2025-11-19 23:41:25,186 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDC220000: C:\\Windows\\system32\\wbem\\wbemprox (0x11000 bytes).\n2025-11-19 23:41:25,195 [root] DEBUG: 1324: DLL loaded at 0x00007FFED9560000: C:\\Windows\\system32\\wbem\\wmiutils (0x28000 bytes).\n2025-11-19 23:41:25,247 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDB270000: C:\\Windows\\system32\\wbem\\wbemsvc (0x14000 bytes).\n2025-11-19 23:41:25,343 [root] DEBUG: 1324: hook_api: WMI_ExecQuery export address 0x00007FFED3FCD630 obtained via GetFunctionAddress\n2025-11-19 23:41:25,365 [root] DEBUG: 1324: hook_api: WMI_ExecMethod export address 0x00007FFED40630C0 obtained via GetFunctionAddress\n2025-11-19 23:41:25,446 [root] DEBUG: 1324: DLL loaded at 0x00007FFED3FC0000: C:\\Windows\\system32\\wbem\\fastprox (0x10b000 bytes).\n2025-11-19 23:41:25,449 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDE1C0000: C:\\Windows\\SYSTEM32\\amsi (0x1f000 bytes).\n2025-11-19 23:41:25,464 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE08C0000: C:\\Windows\\SYSTEM32\\sxs (0xa2000 bytes).\n2025-11-19 23:41:25,535 [root] DEBUG: 740: CreateProcessHandler: Injection info set for new process 4036: C:\\Windows\\system32\\wbem\\wmiprvse.exe, ImageBase: 0x00007FF7CCD30000\n2025-11-19 23:41:25,536 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 4036\n2025-11-19 23:41:25,536 [lib.api.process] INFO: Monitor config for : C:\\2oozvway\\dll\\4036.ini\n2025-11-19 23:41:25,538 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2025-11-19 23:41:26,523 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2oozvway\\dll\\FvrgALd.dll, loader C:\\2oozvway\\bin\\alZEzoOD.exe\n2025-11-19 23:41:26,535 [root] DEBUG: Loader: Injecting process 4036 (thread 1460) with C:\\2oozvway\\dll\\FvrgALd.dll.\n2025-11-19 23:41:26,536 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2025-11-19 23:41:26,537 [root] DEBUG: Successfully injected DLL C:\\2oozvway\\dll\\FvrgALd.dll.\n2025-11-19 23:41:26,540 [lib.api.process] INFO: Injected into 64-bit \n2025-11-19 23:41:26,542 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 4036\n2025-11-19 23:41:26,542 [lib.api.process] INFO: Monitor config for : C:\\2oozvway\\dll\\4036.ini\n2025-11-19 23:41:26,543 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2025-11-19 23:41:27,104 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2oozvway\\dll\\FvrgALd.dll, loader C:\\2oozvway\\bin\\alZEzoOD.exe\n2025-11-19 23:41:27,114 [root] DEBUG: Loader: Injecting process 4036 (thread 1460) with C:\\2oozvway\\dll\\FvrgALd.dll.\n2025-11-19 23:41:27,115 [root] DEBUG: InjectDllViaIAT: This image has already been patched.\n2025-11-19 23:41:27,116 [root] DEBUG: Successfully injected DLL C:\\2oozvway\\dll\\FvrgALd.dll.\n2025-11-19 23:41:27,119 [lib.api.process] INFO: Injected into 64-bit \n2025-11-19 23:41:27,132 [root] DEBUG: 4036: Python path set to 'C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32'.\n2025-11-19 23:41:27,132 [root] DEBUG: 4036: Interactive desktop enabled.\n2025-11-19 23:41:27,133 [root] DEBUG: 4036: Dropped file limit defaulting to 100.\n2025-11-19 23:41:27,136 [root] DEBUG: 4036: Disabling sleep skipping.\n2025-11-19 23:41:27,137 [root] DEBUG: 4036: Services hook set enabled\n2025-11-19 23:41:27,141 [root] DEBUG: 4036: YaraInit: Compiled rules loaded from existing file C:\\2oozvway\\data\\yara\\capemon.yac\n2025-11-19 23:41:27,165 [root] DEBUG: 4036: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0\n2025-11-19 23:41:27,166 [root] DEBUG: 4036: Monitor initialised: 64-bit capemon loaded in process 4036 at 0x00007FFEC4670000, thread 1460, image base 0x00007FF7CCD30000, stack from 0x0000008CAF580000-0x0000008CAF590000\n2025-11-19 23:41:27,167 [root] DEBUG: 4036: Commandline: C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding\n2025-11-19 23:41:27,180 [root] DEBUG: 4036: Hooked 69 out of 69 functions\n2025-11-19 23:41:27,187 [root] DEBUG: 4036: RestoreHeaders: Restored original import table.\n2025-11-19 23:41:27,188 [root] INFO: Loaded monitor into process with pid 4036\n2025-11-19 23:41:27,199 [root] DEBUG: 4036: set_hooks_by_export_directory: Hooked 0 out of 69 functions\n2025-11-19 23:41:27,200 [root] DEBUG: 4036: DLL loaded at 0x00007FFEDEA70000: C:\\Windows\\SYSTEM32\\kernel.appcore (0x12000 bytes).\n2025-11-19 23:41:27,201 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE1390000: C:\\Windows\\System32\\bcryptPrimitives (0x82000 bytes).\n2025-11-19 23:41:27,204 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE2C20000: C:\\Windows\\System32\\clbcatq (0xa9000 bytes).\n2025-11-19 23:41:27,208 [lib.api.process] INFO: Monitor config for : C:\\2oozvway\\dll\\1756.ini\n2025-11-19 23:41:27,210 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2025-11-19 23:41:27,212 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2oozvway\\dll\\FvrgALd.dll, loader C:\\2oozvway\\bin\\alZEzoOD.exe\n2025-11-19 23:41:27,222 [root] DEBUG: Loader: Injecting process 1756 with C:\\2oozvway\\dll\\FvrgALd.dll.\n2025-11-19 23:41:27,229 [root] DEBUG: 1756: Python path set to 'C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32'.\n2025-11-19 23:41:27,230 [root] DEBUG: 1756: Disabling sleep skipping.\n2025-11-19 23:41:27,230 [root] DEBUG: 1756: Interactive desktop enabled.\n2025-11-19 23:41:27,231 [root] DEBUG: 1756: Dropped file limit defaulting to 100.\n2025-11-19 23:41:27,232 [root] DEBUG: 1756: Services hook set enabled\n2025-11-19 23:41:27,236 [root] DEBUG: 1756: YaraInit: Compiled rules loaded from existing file C:\\2oozvway\\data\\yara\\capemon.yac\n2025-11-19 23:41:27,259 [root] DEBUG: 1756: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0\n2025-11-19 23:41:27,260 [root] DEBUG: 1756: Monitor initialised: 64-bit capemon loaded in process 1756 at 0x00007FFEC4670000, thread 1400, image base 0x00007FF630560000, stack from 0x000000D46CEF5000-0x000000D46CF00000\n2025-11-19 23:41:27,261 [root] DEBUG: 1756: Commandline: C:\\Windows\\system32\\svchost.exe -k netsvcs -p\n2025-11-19 23:41:27,274 [root] DEBUG: 1756: Hooked 69 out of 69 functions\n2025-11-19 23:41:27,276 [root] INFO: Loaded monitor into process with pid 1756\n2025-11-19 23:41:27,277 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2025-11-19 23:41:27,278 [root] DEBUG: Successfully injected DLL C:\\2oozvway\\dll\\FvrgALd.dll.\n2025-11-19 23:41:27,280 [lib.api.process] INFO: Injected into 64-bit \n2025-11-19 23:41:29,297 [root] DEBUG: 4036: DLL loaded at 0x00007FFEDC220000: C:\\Windows\\system32\\wbem\\wbemprox (0x11000 bytes).\n2025-11-19 23:41:29,304 [root] DEBUG: 4036: DLL loaded at 0x00007FFEDB270000: C:\\Windows\\system32\\wbem\\wbemsvc (0x14000 bytes).\n2025-11-19 23:41:29,324 [root] DEBUG: 4036: DLL loaded at 0x00007FFED9560000: C:\\Windows\\system32\\wbem\\wmiutils (0x28000 bytes).\n2025-11-19 23:41:29,337 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE09F0000: C:\\Windows\\SYSTEM32\\powrprof (0x4b000 bytes).\n2025-11-19 23:41:29,338 [root] DEBUG: 4036: DLL loaded at 0x00007FFECA3F0000: C:\\Windows\\SYSTEM32\\framedynos (0x52000 bytes).\n2025-11-19 23:41:29,339 [root] DEBUG: 4036: DLL loaded at 0x00007FFECA0F0000: C:\\Windows\\system32\\wbem\\cimwin32 (0x20c000 bytes).\n2025-11-19 23:41:29,341 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE09D0000: C:\\Windows\\SYSTEM32\\UMPDC (0x12000 bytes).\n2025-11-19 23:41:29,359 [root] DEBUG: 4036: DLL loaded at 0x00007FFECBDA0000: C:\\Windows\\SYSTEM32\\winbrand (0x35000 bytes).\n2025-11-19 23:41:29,364 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE0500000: C:\\Windows\\SYSTEM32\\wldp (0x2d000 bytes).\n2025-11-19 23:41:29,369 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE0500000: C:\\Windows\\SYSTEM32\\wldp (0x2d000 bytes).\n2025-11-19 23:41:29,374 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE0500000: C:\\Windows\\SYSTEM32\\wldp (0x2d000 bytes).\n2025-11-19 23:41:29,379 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE0500000: C:\\Windows\\SYSTEM32\\wldp (0x2d000 bytes).\n2025-11-19 23:41:29,380 [root] DEBUG: 4036: DLL loaded at 0x0000025E61D60000: C:\\Windows\\SYSTEM32\\SECURITY (0x3000 bytes).\n2025-11-19 23:41:29,382 [root] DEBUG: 4036: DLL loaded at 0x00007FFEDC850000: C:\\Windows\\SYSTEM32\\SECUR32 (0xc000 bytes).\n2025-11-19 23:41:29,385 [root] DEBUG: 4036: DLL loaded at 0x00007FFEDFAA0000: C:\\Windows\\system32\\schannel (0x97000 bytes).\n2025-11-19 23:41:29,430 [root] DEBUG: 4036: DLL loaded at 0x00007FFED6960000: C:\\Windows\\SYSTEM32\\NETAPI32 (0x19000 bytes).\n2025-11-19 23:41:29,432 [root] DEBUG: 4036: DLL loaded at 0x00007FFED5050000: C:\\Windows\\SYSTEM32\\SAMCLI (0x19000 bytes).\n2025-11-19 23:41:29,435 [root] DEBUG: 4036: DLL loaded at 0x00007FFED6E00000: C:\\Windows\\SYSTEM32\\SRVCLI (0x28000 bytes).\n2025-11-19 23:41:29,437 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE0060000: C:\\Windows\\SYSTEM32\\NETUTILS (0xc000 bytes).\n2025-11-19 23:41:29,439 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE0070000: C:\\Windows\\SYSTEM32\\LOGONCLI (0x43000 bytes).\n2025-11-19 23:41:29,441 [root] DEBUG: 4036: DLL loaded at 0x00007FFEDC210000: C:\\Windows\\SYSTEM32\\SCHEDCLI (0xc000 bytes).\n2025-11-19 23:41:29,443 [root] DEBUG: 4036: DLL loaded at 0x00007FFEDFCF0000: C:\\Windows\\SYSTEM32\\WKSCLI (0x19000 bytes).\n2025-11-19 23:41:29,445 [root] DEBUG: 4036: DLL loaded at 0x00007FFEDC560000: C:\\Windows\\SYSTEM32\\DSROLE (0xa000 bytes).\n2025-11-19 23:41:29,449 [root] DEBUG: 4036: DLL loaded at 0x00007FFECE280000: C:\\Windows\\SYSTEM32\\cscapi (0x12000 bytes).\n2025-11-19 23:41:29,521 [root] DEBUG: 1324: CAPEExceptionFilter: Exception 0xc0000005 accessing 0x0 caught at RVA 0xf0418 in capemon (expected in memory scans), passing to next handler.\n2025-11-19 23:41:29,534 [root] DEBUG: 1324: DLL loaded at 0x00007FFED5F30000: C:\\Windows\\system32\\winhttpcom (0x1e000 bytes).\n2025-11-19 23:41:29,544 [root] DEBUG: 1324: DLL loaded at 0x00007FFED8A20000: C:\\Windows\\system32\\WINHTTP (0x10a000 bytes).\n2025-11-19 23:41:29,556 [root] DEBUG: 1324: DLL loaded at 0x00007FFECB2E0000: C:\\Windows\\system32\\OnDemandConnRouteHelper (0x17000 bytes).\n2025-11-19 23:41:29,560 [root] DEBUG: 1324: DLL loaded at 0x00007FFEC7790000: C:\\Windows\\system32\\webio (0x98000 bytes).\n2025-11-19 23:41:29,564 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE0260000: C:\\Windows\\system32\\mswsock (0x6a000 bytes).\n2025-11-19 23:41:29,568 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDFF50000: C:\\Windows\\system32\\IPHLPAPI (0x3b000 bytes).\n2025-11-19 23:41:29,570 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE2110000: C:\\Windows\\System32\\NSI (0x8000 bytes).\n2025-11-19 23:41:29,571 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDAE00000: C:\\Windows\\SYSTEM32\\WINNSI (0xb000 bytes).\n2025-11-19 23:41:29,588 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDFF90000: C:\\Windows\\SYSTEM32\\DNSAPI (0xca000 bytes).\n2025-11-19 23:41:29,594 [root] DEBUG: 1324: DLL loaded at 0x00007FFED87C0000: C:\\Windows\\System32\\rasadhlp (0xa000 bytes).\n2025-11-19 23:41:29,609 [root] DEBUG: 1324: DLL loaded at 0x00007FFED8CB0000: C:\\Windows\\System32\\fwpuclnt (0x80000 bytes).\n2025-11-19 23:41:29,666 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDFAA0000: C:\\Windows\\system32\\schannel (0x97000 bytes).\n2025-11-19 23:41:29,751 [root] DEBUG: 608: TLS 1.2 secrets logged to: C:\\xVgYcbaMe\\tlsdump\\tlsdump.log\n2025-11-19 23:41:29,790 [root] DEBUG: 1324: DLL loaded at 0x00007FFECB060000: C:\\Windows\\SYSTEM32\\mskeyprotect (0x15000 bytes).\n2025-11-19 23:41:29,791 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE0530000: C:\\Windows\\SYSTEM32\\NTASN1 (0x3b000 bytes).\n2025-11-19 23:41:29,799 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE0570000: C:\\Windows\\SYSTEM32\\ncrypt (0x27000 bytes).\n2025-11-19 23:41:29,802 [root] DEBUG: 1324: DLL loaded at 0x00007FFECB1A0000: C:\\Windows\\system32\\ncryptsslp (0x26000 bytes).\n2025-11-19 23:41:29,808 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE0690000: C:\\Windows\\SYSTEM32\\MSASN1 (0x12000 bytes).\n2025-11-19 23:41:29,910 [root] DEBUG: 1324: DLL loaded at 0x00007FFEC5430000: C:\\Windows\\system32\\mlang (0x42000 bytes).\n2025-11-19 23:41:29,959 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDFCB0000: C:\\Windows\\SYSTEM32\\ntmarta (0x33000 bytes).\n2025-11-19 23:41:29,960 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDE0B0000: C:\\Windows\\System32\\CoreMessaging (0xf2000 bytes).\n2025-11-19 23:41:29,961 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDC8A0000: C:\\Windows\\SYSTEM32\\wintypes (0x155000 bytes).\n2025-11-19 23:41:29,962 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDDD50000: C:\\Windows\\System32\\CoreUIComponents (0x35b000 bytes).\n2025-11-19 23:41:29,963 [root] DEBUG: 1324: DLL loaded at 0x00007FFED8F50000: C:\\Windows\\SYSTEM32\\textinputframework (0xf9000 bytes).\n2025-11-19 23:43:31,266 [root] DEBUG: 2552: set_hooks_by_export_directory: Hooked 0 out of 69 functions\n2025-11-19 23:43:31,268 [root] DEBUG: 2552: DLL loaded at 0x00007FFECE180000: C:\\Windows\\System32\\Windows.CloudStore.Schema.Shell (0xf4000 bytes).\n2025-11-19 23:43:31,290 [root] DEBUG: 2552: DLL loaded at 0x00007FFEDB0E0000: C:\\Windows\\System32\\usermgrproxy (0x54000 bytes).\n2025-11-19 23:44:41,586 [root] INFO: Analysis timeout hit, terminating analysis\n2025-11-19 23:44:41,587 [lib.api.process] INFO: Terminate event set for \n2025-11-19 23:44:41,588 [root] DEBUG: 1324: Terminate Event: Attempting to dump process 1324\n2025-11-19 23:44:41,591 [root] DEBUG: 1324: DoProcessDump: Skipping process dump as code is identical on disk.\n2025-11-19 23:44:41,605 [lib.api.process] INFO: Termination confirmed for \n2025-11-19 23:44:41,606 [root] DEBUG: 1324: Terminate Event: monitor shutdown complete for process 1324\n2025-11-19 23:44:41,607 [root] INFO: Terminate event set for process 1324\n2025-11-19 23:44:41,608 [lib.api.process] INFO: Terminate event set for \n2025-11-19 23:44:41,609 [root] DEBUG: 740: Terminate Event: Attempting to dump process 740\n2025-11-19 23:44:41,610 [root] DEBUG: 740: DoProcessDump: Skipping process dump as code is identical on disk.\n2025-11-19 23:44:41,615 [lib.api.process] INFO: Termination confirmed for \n2025-11-19 23:44:41,616 [root] INFO: Terminate event set for process 740\n2025-11-19 23:44:41,616 [root] DEBUG: 740: Terminate Event: monitor shutdown complete for process 740\n2025-11-19 23:44:41,616 [lib.api.process] INFO: Terminate event set for \n2025-11-19 23:44:41,618 [root] DEBUG: 4036: Terminate Event: Attempting to dump process 4036\n2025-11-19 23:44:41,619 [root] DEBUG: 4036: DoProcessDump: Skipping process dump as code is identical on disk.\n2025-11-19 23:44:41,623 [root] DEBUG: 4036: Terminate Event: Shutdown complete for process 4036 but failed to inform analyzer.\n2025-11-19 23:44:46,618 [lib.api.process] INFO: Termination confirmed for \n2025-11-19 23:44:46,619 [root] INFO: Terminate event set for process 4036\n2025-11-19 23:44:46,620 [lib.api.process] INFO: Terminate event set for \n2025-11-19 23:44:46,622 [root] DEBUG: 1756: Terminate Event: Attempting to dump process 1756\n2025-11-19 23:44:46,623 [root] DEBUG: 1756: DoProcessDump: Skipping process dump as code is identical on disk.\n2025-11-19 23:44:46,627 [lib.api.process] INFO: Termination confirmed for \n2025-11-19 23:44:46,627 [root] INFO: Terminate event set for process 1756\n2025-11-19 23:44:46,628 [root] DEBUG: 1756: Terminate Event: monitor shutdown complete for process 1756\n2025-11-19 23:44:46,628 [root] INFO: Created shutdown mutex\n2025-11-19 23:44:47,640 [root] INFO: Shutting down package\n2025-11-19 23:44:47,641 [root] INFO: Stopping auxiliary modules\n2025-11-19 23:44:47,641 [root] INFO: Stopping auxiliary module: Browser\n2025-11-19 23:44:47,642 [root] INFO: Stopping auxiliary module: Human\n2025-11-19 23:44:47,642 [root] INFO: Stopping auxiliary module: Screenshots\n2025-11-19 23:44:47,857 [root] INFO: Finishing auxiliary modules\n2025-11-19 23:44:47,857 [root] INFO: Shutting down pipe server and dumping dropped files\n2025-11-19 23:44:47,858 [root] WARNING: Folder at path \"C:\\xVgYcbaMe\\debugger\" does not exist, skipping\n2025-11-19 23:44:47,858 [root] INFO: Uploading files at path \"C:\\xVgYcbaMe\\tlsdump\"\n2025-11-19 23:44:47,859 [lib.common.results] INFO: Uploading file C:\\xVgYcbaMe\\tlsdump\\tlsdump.log to tlsdump\\tlsdump.log; Size is 274; Max size: 100000000\n2025-11-19 23:44:47,877 [root] INFO: Analysis completed\n", "errors": [] }, "network": { "pcap_sha256": "fb352b516b4465e52ab873bf14ef2488fcf8483002009399615872fc97768845", "hosts": [ { "ip": "172.66.171.73", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "pastebin.com", "inaddrarpa": "", "ports": [] } ], "domains": [ { "domain": "pastebin.com", "ip": "172.66.171.73" } ], "tcp": [ { "src": "192.168.1.2", "sport": 49681, "dst": "172.66.171.73", "dport": 443, "offset": 725, "time": 4.002519130706787 } ], "udp": [ { "src": "192.168.1.2", "sport": 138, "dst": "192.168.1.255", "dport": 138, "offset": 24, "time": 0.0 } ], "icmp": [], "http": [], "dns": [ { "request": "pastebin.com", "type": "A", "answers": [ { "type": "A", "data": "172.66.171.73" }, { "type": "A", "data": "104.20.29.150" } ], "first_seen": 1763595862.358999 } ], "smtp": [], "irc": [], "dead_hosts": [], "http_ex": [], "https_ex": [ { "src": "192.168.1.2", "sport": 49681, "dst": "172.66.171.73", "dport": 443, "protocol": "https", "method": "GET", "host": "pastebin.com", "uri": "/raw/04TKQkE1", "status": 200, "request": "GET /raw/04TKQkE1 HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: pastebin.com", "response": "HTTP/1.1 200 OK\r\nDate: Wed, 19 Nov 2025 23:44:22 GMT\r\nContent-Type: text/plain; charset=utf-8\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nServer: cloudflare\r\nx-frame-options: DENY\r\nx-content-type-options: nosniff\r\nx-xss-protection: 1;mode=block\r\nCache-Control: public, max-age=14400\r\nAge: 1685\r\ncf-cache-status: HIT\r\nlast-modified: Wed, 19 Nov 2025 23:16:16 GMT\r\nVary: accept-encoding\r\nCF-RAY: 9a13933d5e6c35cc-ARN", "first_seen": 1763595862.610253, "resp": { "md5": "f395084b46df7f9caec1a3e3dd5d7864", "sha1": "b9201a2511ea3661fb5b30958c25689a6d4cfad5", "sha256": "cf2c29ee27cad25d8f6863bcf95f71ac22a92bf1b6c6af43767a9196cd47cb42", "preview": [ "00000000 30 30 33 33 30 2d 38 30 30 30 30 2d 30 30 30 30 |00330-80000-0000|", "00000010 30 2d 41 41 34 38 31 20 2d 20 d1 8f 0d 0a 30 30 |0-AA481 - ....00|", "00000020 33 32 36 2d 33 30 30 30 30 2d 30 30 30 30 31 2d |326-30000-00001-|" ], "path": "/opt/CAPEv2/storage/analyses/11/network/cf2c29ee27cad25d8f6863bcf95f71ac22a92bf1b6c6af43767a9196cd47cb42" } } ], "smtp_ex": [] }, "url_analysis": {}, "procmemory": [], "signatures": [ { "name": "dead_connect", "description": "Attempts to connect to a dead IP:Port (1 unique times)", "categories": [ "network" ], "severity": 1, "weight": 0, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 1324, "cid": 1441 }, { "IP": "172.66.171.73:443 (unknown)" } ], "new_data": [], "alert": false, "families": [] }, { "name": "queries_keyboard_layout", "description": "Queries the keyboard layout", "categories": [ "location_discovery" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 1324, "cid": 109 }, { "type": "call", "pid": 1324, "cid": 381 }, { "type": "call", "pid": 1324, "cid": 384 } ], "new_data": [], "alert": false, "families": [] }, { "name": "queries_locale_api", "description": "Queries the computer locale (possible geofencing)", "categories": [ "location_discovery", "geofence" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 1324, "cid": 216 }, { "type": "call", "pid": 1324, "cid": 292 }, { "type": "call", "pid": 1324, "cid": 704 }, { "type": "call", "pid": 1324, "cid": 915 }, { "type": "call", "pid": 1324, "cid": 975 }, { "type": "call", "pid": 1324, "cid": 1125 } ], "new_data": [], "alert": false, "families": [] }, { "name": "antidebug_setunhandledexceptionfilter", "description": "SetUnhandledExceptionFilter detected (possible anti-debug)", "categories": [ "anti-debug" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "type": "call", "pid": 1324, "cid": 30 } ], "new_data": [], "alert": false, "families": [] }, { "name": "language_check_registry", "description": "Checks system language via registry key (possible geofencing)", "categories": [ "location_discovery", "geofence" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU" }, { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU" } ], "new_data": [], "alert": false, "families": [] }, { "name": "network_cnc_https_generic", "description": "Establishes an encrypted HTTPS connection", "categories": [ "network", "encryption" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "http_request": "GET /raw/04TKQkE1 HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: pastebin.com\r\n\r\n" }, { "type": "call", "pid": 1324, "cid": 1964 } ], "new_data": [], "alert": false, "families": [] }, { "name": "legitimate_domain_abuse", "description": "Connection to a legitimate domain from an unexpected process", "categories": [ "network", "living-off-trusted-sites" ], "severity": 2, "weight": 1, "confidence": 100, "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2023-0816.pdf", "https://lots-project.com/" ], "data": [ { "type": "call", "pid": 1324, "cid": 1156 }, { "type": "call", "pid": 1324, "cid": 1200 } ], "new_data": [], "alert": false, "families": [] }, { "name": "suspicious_communication_trusted_site", "description": "Suspicious communication with abused trusted site", "categories": [ "living-off-trusted-sites", "C&C", "network" ], "severity": 2, "weight": 1, "confidence": 50, "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2023-0816.pdf", "https://lots-project.com/" ], "data": [ { "type": "call", "pid": 1324, "cid": 1156 }, { "type": "call", "pid": 1324, "cid": 1157 }, { "type": "call", "pid": 1324, "cid": 1200 }, { "type": "call", "pid": 1324, "cid": 1970 } ], "new_data": [], "alert": false, "families": [] }, { "name": "network_dns_paste_site", "description": "DNS query to a paste site or service detected", "categories": [ "network" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "domain": "pastebin.com" } ], "new_data": [], "alert": false, "families": [] }, { "name": "network_cnc_https_pastesite", "description": "Establishes an encrypted HTTPS connection to a paste site", "categories": [ "network", "encryption" ], "severity": 3, "weight": 1, "confidence": 100, "references": [], "data": [ { "http_request": "GET /raw/04TKQkE1 HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: pastebin.com\r\n\r\n" }, { "type": "call", "pid": 1324, "cid": 1964 } ], "new_data": [], "alert": false, "families": [] }, { "name": "antisandbox_mouse_hook", "description": "Installs an hook procedure to monitor for mouse events", "categories": [ "anti-sandbox", "generic" ], "severity": 3, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 1324, "cid": 655 } ], "new_data": [], "alert": false, "families": [] }, { "name": "infostealer_keylog", "description": "Sniffs keystrokes", "categories": [ "infostealer" ], "severity": 3, "weight": 1, "confidence": 100, "references": [], "data": [ { "SetWindowsHookExW": "Process: PoliceAssist.exe(1324)" }, { "type": "call", "pid": 1324, "cid": 654 } ], "new_data": [], "alert": false, "families": [] } ], "malscore": 0.0, "ttps": [ { "signature": "network_cnc_https_generic", "ttps": [ "T1573" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "network_cnc_https_pastesite", "ttps": [ "T1573" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "suspicious_communication_trusted_site", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "network_dns_paste_site", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002" ] } ], "malstatus": null }