{ "statistics": { "processing": [ { "name": "CAPE", "time": 0.94 }, { "name": "AnalysisInfo", "time": 0.014 }, { "name": "BehaviorAnalysis", "time": 0.112 }, { "name": "Debug", "time": 0.001 }, { "name": "NetworkAnalysis", "time": 0.02 }, { "name": "UrlAnalysis", "time": 0.0 }, { "name": "script_log_processing", "time": 0.0 }, { "name": "ProcessMemory", "time": 0.0 } ], "signatures": [ { "name": "packer_themida", "time": 0.0 }, { "name": "stealth_network", "time": 0.0 }, { "name": "disable_driver_via_blocklist", "time": 0.0 }, { "name": "disable_driver_via_hvcidisallowedimages", "time": 0.0 }, { "name": "disable_hypervisor_protected_code_integrity", "time": 0.0 }, { "name": "pendingfilerenameoperations_Operations", "time": 0.0 }, { "name": "anomalous_deletefile", "time": 0.0 }, { "name": "antiav_360_libs", "time": 0.0 }, { "name": "antiav_ahnlab_libs", "time": 0.0 }, { "name": "antiav_avast_libs", "time": 0.0 }, { "name": "antiav_bitdefender_libs", "time": 0.0 }, { "name": "antiav_bullguard_libs", "time": 0.0 }, { "name": "antiav_emsisoft_libs", "time": 0.0 }, { "name": "antiav_qurb_libs", "time": 0.0 }, { "name": "antiav_servicestop", "time": 0.0 }, { "name": "antiav_apioverride_libs", "time": 0.0 }, { "name": "antidebug_guardpages", "time": 0.0 }, { "name": "antidebug_ntcreatethreadex", "time": 0.0 }, { "name": "antiav_nthookengine_libs", "time": 0.0 }, { "name": "antidebug_outputdebugstring", "time": 0.0 }, { "name": "antidebug_setunhandledexceptionfilter", "time": 0.0 }, { "name": "antidebug_windows", "time": 0.0 }, { "name": "antisandbox_cuckoo", "time": 0.0 }, { "name": "antisandbox_cuckoocrash", "time": 0.0 }, { "name": "antisandbox_foregroundwindows", "time": 0.0 }, { "name": "mouse_movement_detect", "time": 0.0 }, { "name": "antisandbox_sboxie_libs", "time": 0.0 }, { "name": "antisandbox_script_timer", "time": 0.0 }, { "name": "antisandbox_sleep", "time": 0.0 }, { "name": "antisandbox_sunbelt_libs", "time": 0.0 }, { "name": "antisandbox_unhook", "time": 0.0 }, { "name": "hardware_id_profiling", "time": 0.0 }, { "name": "antivm_directory_objects", "time": 0.0 }, { "name": "antivm_display", "time": 0.0 }, { "name": "antivm_generic_disk", "time": 0.0 }, { "name": "antivm_generic_scsi", "time": 0.0 }, { "name": "antivm_generic_services", "time": 0.0 }, { "name": "antivm_generic_system", "time": 0.0 }, { "name": "antivm_checks_available_memory", "time": 0.0 }, { "name": "detect_virtualization_via_recent_files", "time": 0.0 }, { "name": "antivm_vbox_libs", "time": 0.0 }, { "name": "antivm_vbox_window", "time": 0.0 }, { "name": "antivm_vmware_events", "time": 0.0 }, { "name": "antivm_vmware_libs", "time": 0.0 }, { "name": "antivm_wmi", "time": 0.0 }, { "name": "api_spamming", "time": 0.0 }, { "name": "api_uuidfromstringa", "time": 0.0 }, { "name": "bcdedit_command", "time": 0.0 }, { "name": "bootkit", "time": 0.0 }, { "name": "direct_hdd_access", "time": 0.0 }, { "name": "physical_drive_access", "time": 0.0 }, { "name": "potential_overwrite_mbr", "time": 0.0 }, { "name": "read_file_raw_disk_access", "time": 0.0 }, { "name": "suspicious_iocontrol_codes", "time": 0.0 }, { "name": "browser_needed", "time": 0.0 }, { "name": "amsi_enumeration", "time": 0.0 }, { "name": "regsvr32_squiblydoo_dll_load", "time": 0.0 }, { "name": "suspicious_ntdll_disk_load", "time": 0.0 }, { "name": "direct_syscall_evasion", "time": 0.0 }, { "name": "unbacked_syscall_execution", "time": 0.0 }, { "name": "uac_bypass_cmstp", "time": 0.0 }, { "name": "uac_bypass_eventvwr", "time": 0.0 }, { "name": "uac_bypass_windows_Backup", "time": 0.0 }, { "name": "privilege_elevation_check", "time": 0.0 }, { "name": "dotnet_code_compile", "time": 0.0 }, { "name": "queries_computer_name", "time": 0.0 }, { "name": "queries_user_name", "time": 0.0 }, { "name": "creates_largekey", "time": 0.0 }, { "name": "creates_nullvalue", "time": 0.0 }, { "name": "access_windows_passwords_vault", "time": 0.0 }, { "name": "dump_lsa_via_windows_error_reporting", "time": 0.0 }, { "name": "lsass_credential_dumping", "time": 0.0 }, { "name": "critical_process", "time": 0.0 }, { "name": "query_fips_reconnaissance", "time": 0.0 }, { "name": "cryptopool_domains", "time": 0.0 }, { "name": "dead_connect", "time": 0.0 }, { "name": "dead_link", "time": 0.0 }, { "name": "decoy_document", "time": 0.0 }, { "name": "decoy_image", "time": 0.0 }, { "name": "deletes_consolehost_history", "time": 0.0 }, { "name": "dep_bypass", "time": 0.0 }, { "name": "dep_disable", "time": 0.0 }, { "name": "disables_wfp", "time": 0.0 }, { "name": "add_windows_defender_exclusions", "time": 0.0 }, { "name": "mountpoints_volume_discovery", "time": 0.0 }, { "name": "dll_load_uncommon_file_types", "time": 0.0 }, { "name": "dllload_suspicious_directory", "time": 0.0 }, { "name": "document_script_exe_drop", "time": 0.0 }, { "name": "driver_load", "time": 0.0 }, { "name": "install_kernel_driver_service", "time": 0.0 }, { "name": "malformed_dll_loading", "time": 0.0 }, { "name": "dynamic_function_loading", "time": 0.0 }, { "name": "encrypted_ioc", "time": 0.0 }, { "name": "registers_vectored_exception_handler", "time": 0.0 }, { "name": "exec_crash", "time": 0.0 }, { "name": "process_creation_suspicious_location", "time": 0.0 }, { "name": "exploit_getbasekerneladdress", "time": 0.0 }, { "name": "exploit_gethaldispatchtable", "time": 0.0 }, { "name": "exploit_heapspray", "time": 0.0 }, { "name": "downloads_from_filehosting", "time": 0.0 }, { "name": "generic_phish", "time": 0.0 }, { "name": "http_request", "time": 0.0 }, { "name": "infostealer_browser", "time": 0.0 }, { "name": "infostealer_browser_password", "time": 0.0 }, { "name": "infostealer_cookies", "time": 0.0 }, { "name": "captures_screenshot", "time": 0.0 }, { "name": "injection_createremotethread", "time": 0.0 }, { "name": "creates_suspended_process", "time": 0.0 }, { "name": "injection_explorer", "time": 0.0 }, { "name": "injection_module_stomping_probing", "time": 0.0 }, { "name": "injection_network_traffic", "time": 0.0 }, { "name": "injection_runpe", "time": 0.0 }, { "name": "injection_rwx", "time": 0.0 }, { "name": "section_mapping_injection", "time": 0.0 }, { "name": "injection_themeinitapihook", "time": 0.0 }, { "name": "apc_injection", "time": 0.0 }, { "name": "resumethread_remote_process", "time": 0.0 }, { "name": "injection_write_exe_process", "time": 0.0 }, { "name": "injection_write_process", "time": 0.0 }, { "name": "internet_dropper", "time": 0.0 }, { "name": "interprocess_comms_mutex", "time": 0.0 }, { "name": "interprocess_comms_named_pipe", "time": 0.0 }, { "name": "interprocess_comms_shared_memory", "time": 0.0 }, { "name": "escalate_privilege_via_named_pipe", "time": 0.0 }, { "name": "ipc_namedpipe", "time": 0.0 }, { "name": "js_phish", "time": 0.0 }, { "name": "js_suspicious_redirect", "time": 0.0 }, { "name": "execute_binary_via_internet_explorer_exporter", "time": 0.0 }, { "name": "execute_binary_via_run_exe_helper_utility", "time": 0.0 }, { "name": "execute_ps_via_syncappvpublishingserver", "time": 0.0 }, { "name": "malicious_dynamic_function_loading", "time": 0.0 }, { "name": "reads_memory_remote_process", "time": 0.0 }, { "name": "unbacked_exception_filter", "time": 0.0 }, { "name": "unbacked_process_mitigation_alteration", "time": 0.0 }, { "name": "thread_unbacked_memory", "time": 0.0 }, { "name": "unbacked_api_resolution", "time": 0.0 }, { "name": "unbacked_dotnet_execution", "time": 0.0 }, { "name": "unbacked_library_load", "time": 0.0 }, { "name": "unbacked_memory_apc_execution", "time": 0.0 }, { "name": "unbacked_memory_protection_alteration", "time": 0.0 }, { "name": "unbacked_mutex_creation", "time": 0.0 }, { "name": "unbacked_process_creation", "time": 0.0 }, { "name": "unbacked_veh_registration", "time": 0.0 }, { "name": "unbacked_com_instantiation", "time": 0.0 }, { "name": "unbacked_crypto_operations", "time": 0.0 }, { "name": "unbacked_delay_execution", "time": 0.0 }, { "name": "unbacked_file_dropping", "time": 0.0 }, { "name": "unbacked_process_enumeration", "time": 0.0 }, { "name": "unbacked_registry_modification", "time": 0.0 }, { "name": "unbacked_service_manipulation", "time": 0.0 }, { "name": "unbacked_token_manipulation", "time": 0.0 }, { "name": "unbacked_wmi_execution", "time": 0.0 }, { "name": "unbacked_bind_shell", "time": 0.0 }, { "name": "unbacked_dns_resolution", "time": 0.0 }, { "name": "unbacked_memory_network_connection", "time": 0.0 }, { "name": "unbacked_named_pipe_creation", "time": 0.0 }, { "name": "unbacked_useragent_retrieval", "time": 0.0 }, { "name": "mimics_filetime", "time": 0.0 }, { "name": "amsi_bypass_via_com_registry", "time": 0.0 }, { "name": "access_auto_logons_via_registry", "time": 0.0 }, { "name": "access_boot_key_via_registry", "time": 0.0 }, { "name": "create_suspicious_lnk_files", "time": 0.0 }, { "name": "credential_access_via_windows_credential_history", "time": 0.0 }, { "name": "dll_hijacking_via_microsoft_exchange", "time": 0.0 }, { "name": "dll_hijacking_via_waas_medic_svc_com_typelib", "time": 0.0 }, { "name": "execute_file_downloaded_via_openssh", "time": 0.0 }, { "name": "execute_safe_mode_from_suspicious_process", "time": 0.0 }, { "name": "execute_scripts_via_microsoft_management_console", "time": 0.0 }, { "name": "execute_suspicious_processes_via_windows_mssql_service", "time": 0.0 }, { "name": "execution_from_self_extracting_archive", "time": 0.0 }, { "name": "ip_address_discovery_via_trusted_program", "time": 0.0 }, { "name": "load_dll_via_control_panel", "time": 0.0 }, { "name": "network_connection_via_suspicious_process", "time": 0.0 }, { "name": "potential_location_discovery_via_unusual_process", "time": 0.0 }, { "name": "store_executable_registry", "time": 0.0 }, { "name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent", "time": 0.0 }, { "name": "suspicious_java_execution_via_win_scripts", "time": 0.0 }, { "name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File", "time": 0.0 }, { "name": "uses_restart_manager_for_suspicious_activities", "time": 0.0 }, { "name": "modify_desktop_wallpaper", "time": 0.0 }, { "name": "modify_zoneid_ads", "time": 0.0 }, { "name": "move_file_on_reboot", "time": 0.0 }, { "name": "multiple_useragents", "time": 0.0 }, { "name": "network_anomaly", "time": 0.0 }, { "name": "network_bind", "time": 0.0 }, { "name": "etherhiding_smart_contract_call", "time": 0.0 }, { "name": "network_cnc_https_archive", "time": 0.0 }, { "name": "network_cnc_https_free_webhosting", "time": 0.0 }, { "name": "network_cnc_https_generic", "time": 0.0 }, { "name": "network_cnc_https_interactsh", "time": 0.0 }, { "name": "network_cnc_https_opensource", "time": 0.0 }, { "name": "network_cnc_https_pastesite", "time": 0.0 }, { "name": "network_cnc_https_payload", "time": 0.0 }, { "name": "network_cnc_https_serviceinterface", "time": 0.0 }, { "name": "network_cnc_https_socialmedia", "time": 0.0 }, { "name": "network_cnc_https_telegram", "time": 0.0 }, { "name": "network_cnc_https_tempstorage", "time": 0.0 }, { "name": "network_cnc_https_temp_urldns", "time": 0.0 }, { "name": "network_cnc_https_urlshortener", "time": 0.0 }, { "name": "network_cnc_https_useragent", "time": 0.0 }, { "name": "network_cnc_smtps_exfil", "time": 0.0 }, { "name": "network_cnc_smtps_generic", "time": 0.0 }, { "name": "network_dns_idn", "time": 0.0 }, { "name": "network_dns_suspicious_querytype", "time": 0.0 }, { "name": "network_dns_tunneling_request", "time": 0.0 }, { "name": "network_document_http", "time": 0.0 }, { "name": "explorer_http", "time": 0.0 }, { "name": "network_fake_useragent", "time": 0.0 }, { "name": "legitimate_domain_abuse", "time": 0.0 }, { "name": "suspicious_communication_trusted_site", "time": 0.0 }, { "name": "network_tor", "time": 0.0 }, { "name": "office_com_load", "time": 0.0 }, { "name": "office_dotnet_load", "time": 0.0 }, { "name": "office_mshtml_load", "time": 0.0 }, { "name": "office_vb_load", "time": 0.0 }, { "name": "office_wmi_load", "time": 0.0 }, { "name": "office_cve2017_11882", "time": 0.0 }, { "name": "office_cve2017_11882_network", "time": 0.0 }, { "name": "office_cve_2021_40444", "time": 0.0 }, { "name": "office_cve_2021_40444_m2", "time": 0.0 }, { "name": "office_flash_load", "time": 0.0 }, { "name": "office_postscript", "time": 0.0 }, { "name": "office_suspicious_processes", "time": 0.0 }, { "name": "office_write_exe", "time": 0.0 }, { "name": "decompress_exe", "time": 0.0 }, { "name": "persistence_via_autodial_dll_registry", "time": 0.0 }, { "name": "persistence_autorun", "time": 0.0 }, { "name": "persistence_autorun_tasks", "time": 0.0 }, { "name": "persistence_bootexecute", "time": 0.0 }, { "name": "persistence_registry_script", "time": 0.0 }, { "name": "powershell_network_connection", "time": 0.0 }, { "name": "powershell_download", "time": 0.0 }, { "name": "powershell_request", "time": 0.0 }, { "name": "createtoolhelp32snapshot_module_enumeration", "time": 0.0 }, { "name": "enumerates_running_processes", "time": 0.0 }, { "name": "process_interest", "time": 0.0 }, { "name": "process_needed", "time": 0.0 }, { "name": "ransomware_iocp_asynchronous_encryption", "time": 0.0 }, { "name": "kernel_crypto_driver_abuse", "time": 0.0 }, { "name": "mass_data_encryption", "time": 0.0 }, { "name": "ransomware_extension_hijack", "time": 0.0 }, { "name": "mass_file_modification_access", "time": 0.0 }, { "name": "ransomware_attribute_stripping", "time": 0.0 }, { "name": "ransomware_file_modifications", "time": 0.0 }, { "name": "mass_ransom_note_drop", "time": 0.0 }, { "name": "ransomware_message", "time": 0.0 }, { "name": "reads_self", "time": 0.0 }, { "name": "recon_beacon", "time": 0.0 }, { "name": "recon_programs", "time": 0.0 }, { "name": "recon_systeminfo", "time": 0.0 }, { "name": "accesses_recyclebin", "time": 0.0 }, { "name": "script_created_process", "time": 0.0 }, { "name": "script_network_activity", "time": 0.0 }, { "name": "suspicious_js_script", "time": 0.0 }, { "name": "javascript_timer", "time": 0.0 }, { "name": "secure_login_phishing", "time": 0.0 }, { "name": "securityxploded_modules", "time": 0.0 }, { "name": "get_clipboard_data", "time": 0.0 }, { "name": "sets_autoconfig_url", "time": 0.0 }, { "name": "spoofs_procname", "time": 0.0 }, { "name": "stack_pivot", "time": 0.0 }, { "name": "stack_pivot_file_created", "time": 0.0 }, { "name": "stack_pivot_process_create", "time": 0.0 }, { "name": "set_clipboard_data", "time": 0.0 }, { "name": "stealth_childproc", "time": 0.0 }, { "name": "stealth_file", "time": 0.0 }, { "name": "stealth_timeout", "time": 0.0 }, { "name": "stealth_window", "time": 0.0 }, { "name": "queries_keyboard_layout", "time": 0.0 }, { "name": "queries_locale_api", "time": 0.0 }, { "name": "terminates_remote_process", "time": 0.0 }, { "name": "uiautomationcore_load", "time": 0.0 }, { "name": "user_enum", "time": 0.0 }, { "name": "mmc_dll_script_load", "time": 0.0 }, { "name": "mmc_dotnet_load", "time": 0.0 }, { "name": "virus", "time": 0.0 }, { "name": "webmail_phish", "time": 0.0 }, { "name": "persists_dev_util", "time": 0.0 }, { "name": "spawns_dev_util", "time": 0.0 }, { "name": "alters_windows_utility", "time": 0.0 }, { "name": "overwrites_accessibility_utility", "time": 0.0 }, { "name": "Potential_Lateral_Movement_Via_SMBEXEC", "time": 0.0 }, { "name": "potential_WebShell_Via_ScreenConnectServer", "time": 0.0 }, { "name": "uses_Microsoft_HTML_Help_Executable", "time": 0.0 }, { "name": "wiper_zeroedbytes", "time": 0.0 }, { "name": "wmi_create_process", "time": 0.0 }, { "name": "wmi_script_process", "time": 0.0 }, { "name": "antianalysis_tls_section", "time": 0.0 }, { "name": "antivirus_clamav", "time": 0.0 }, { "name": "antivirus_virustotal", "time": 0.0 }, { "name": "bad_certs", "time": 0.0 }, { "name": "bad_ssl_certs", "time": 0.0 }, { "name": "banker_zeus_p2p", "time": 0.0 }, { "name": "banker_zeus_url", "time": 0.0 }, { "name": "binary_yara", "time": 0.0 }, { "name": "bot_athenahttp", "time": 0.0 }, { "name": "bot_dirtjumper", "time": 0.0 }, { "name": "bot_drive", "time": 0.0 }, { "name": "bot_drive2", "time": 0.0 }, { "name": "bot_madness", "time": 0.0 }, { "name": "byod_loldrivers_match", "time": 0.0 }, { "name": "byod_novel_driver", "time": 0.0 }, { "name": "byod_post_load_exploitation", "time": 0.0 }, { "name": "byod_driver_service_install", "time": 0.0 }, { "name": "com_spawned_process", "time": 0.0 }, { "name": "phishing_kit_detected", "time": 0.0 }, { "name": "family_proxyback", "time": 0.0 }, { "name": "flare_capa_antianalysis", "time": 0.0 }, { "name": "flare_capa_collection", "time": 0.0 }, { "name": "flare_capa_communication", "time": 0.0 }, { "name": "flare_capa_compiler", "time": 0.0 }, { "name": "flare_capa_datamanipulation", "time": 0.0 }, { "name": "flare_capa_executable", "time": 0.0 }, { "name": "flare_capa_hostinteraction", "time": 0.0 }, { "name": "flare_capa_impact", "time": 0.0 }, { "name": "flare_capa_lib", "time": 0.0 }, { "name": "flare_capa_linking", "time": 0.0 }, { "name": "flare_capa_loadcode", "time": 0.0 }, { "name": "flare_capa_malwarefamily", "time": 0.0 }, { "name": "flare_capa_nursery", "time": 0.0 }, { "name": "flare_capa_persistence", "time": 0.0 }, { "name": "flare_capa_runtime", "time": 0.0 }, { "name": "flare_capa_targeting", "time": 0.0 }, { "name": "threatfox", "time": 0.0 }, { "name": "log4shell", "time": 0.0 }, { "name": "mimics_extension", "time": 0.0 }, { "name": "network_country_distribution", "time": 0.0 }, { "name": "network_cnc_http", "time": 0.0 }, { "name": "network_ip_exe", "time": 0.0 }, { "name": "network_dga", "time": 0.0 }, { "name": "network_dga_fraunhofer", "time": 0.0 }, { "name": "network_dyndns", "time": 0.0 }, { "name": "network_excessive_udp", "time": 0.0 }, { "name": "network_http", "time": 0.0 }, { "name": "network_icmp", "time": 0.0 }, { "name": "network_irc", "time": 0.0 }, { "name": "network_open_proxy", "time": 0.0 }, { "name": "network_questionable_http_path", "time": 0.0 }, { "name": "network_questionable_https_path", "time": 0.0 }, { "name": "network_smtp", "time": 0.0 }, { "name": "network_torgateway", "time": 0.0 }, { "name": "origin_langid", "time": 0.0 }, { "name": "origin_resource_langid", "time": 0.0 }, { "name": "overlay", "time": 0.0 }, { "name": "pe_deep_entrypoint", "time": 0.0 }, { "name": "packer_unknown_pe_section_name", "time": 0.0 }, { "name": "packer_aspack", "time": 0.0 }, { "name": "packer_aspirecrypt", "time": 0.0 }, { "name": "packer_bedsprotector", "time": 0.0 }, { "name": "packer_confuser", "time": 0.0 }, { "name": "packer_enigma", "time": 0.0 }, { "name": "packer_entropy", "time": 0.0 }, { "name": "packer_mpress", "time": 0.0 }, { "name": "packer_nate", "time": 0.0 }, { "name": "packer_nspack", "time": 0.0 }, { "name": "packer_smartassembly", "time": 0.0 }, { "name": "packer_spices", "time": 0.0 }, { "name": "packer_themida", "time": 0.0 }, { "name": "packer_titan", "time": 0.0 }, { "name": "packer_upx", "time": 0.0 }, { "name": "packer_vmprotect", "time": 0.0 }, { "name": "packer_yoda", "time": 0.0 }, { "name": "pdf_annot_urls_checker", "time": 0.0 }, { "name": "pe_cert_invalid_signature", "time": 0.0 }, { "name": "pe_cert_self_signed", "time": 0.0 }, { "name": "pe_cert_suspicious_issuer", "time": 0.0 }, { "name": "polymorphic", "time": 0.0 }, { "name": "punch_plus_plus_pcres", "time": 0.0 }, { "name": "procmem_yara", "time": 0.0 }, { "name": "recon_checkip", "time": 0.0 }, { "name": "sigma_events", "time": 0.0 }, { "name": "static_authenticode", "time": 0.0 }, { "name": "invalid_authenticode_signature", "time": 0.0 }, { "name": "static_dotnet_anomaly", "time": 0.0 }, { "name": "static_java", "time": 0.0 }, { "name": "static_pdf", "time": 0.0 }, { "name": "contains_pe_overlay", "time": 0.0 }, { "name": "static_pe_anomaly", "time": 0.0 }, { "name": "pe_compile_timestomping", "time": 0.0 }, { "name": "static_pe_pdbpath", "time": 0.0 }, { "name": "static_rat_config", "time": 0.0 }, { "name": "static_versioninfo_anomaly", "time": 0.0 }, { "name": "browser_credential_theft_headless", "time": 0.0 }, { "name": "suricata_alert", "time": 0.0 }, { "name": "suspicious_html_body", "time": 0.0 }, { "name": "suspicious_html_name", "time": 0.0 }, { "name": "suspicious_html_title", "time": 0.0 }, { "name": "volatility_devicetree_1", "time": 0.0 }, { "name": "volatility_handles_1", "time": 0.0 }, { "name": "volatility_ldrmodules_1", "time": 0.0 }, { "name": "volatility_ldrmodules_2", "time": 0.0 }, { "name": "volatility_malfind_1", "time": 0.0 }, { "name": "volatility_malfind_2", "time": 0.0 }, { "name": "volatility_modscan_1", "time": 0.0 }, { "name": "volatility_svcscan_1", "time": 0.0 }, { "name": "volatility_svcscan_2", "time": 0.0 }, { "name": "volatility_svcscan_3", "time": 0.0 }, { "name": "whois_create", "time": 0.0 }, { "name": "accesses_mailslot", "time": 0.0 }, { "name": "accesses_netlogon_regkey", "time": 0.0 }, { "name": "accesses_public_folder", "time": 0.0 }, { "name": "accesses_sysvol", "time": 0.0 }, { "name": "writes_sysvol", "time": 0.0 }, { "name": "adds_admin_user", "time": 0.0 }, { "name": "adds_user", "time": 0.0 }, { "name": "overwrites_admin_password", "time": 0.0 }, { "name": "antianalysis_detectfile", "time": 0.004 }, { "name": "antianalysis_detectreg", "time": 0.005 }, { "name": "modify_attachment_manager", "time": 0.0 }, { "name": "antiav_detectfile", "time": 0.007 }, { "name": "antiav_detectreg", "time": 0.024 }, { "name": "antiav_srp", "time": 0.0 }, { "name": "antiav_whitespace", "time": 0.0 }, { "name": "antidebug_devices", "time": 0.001 }, { "name": "antiemu_windefend", "time": 0.0 }, { "name": "antiemu_wine_reg", "time": 0.0 }, { "name": "antisandbox_cuckoo_files", "time": 0.0 }, { "name": "antisandbox_fortinet_files", "time": 0.0 }, { "name": "antisandbox_joe_anubis_files", "time": 0.0 }, { "name": "antisandbox_sboxie_mutex", "time": 0.0 }, { "name": "antisandbox_sunbelt_files", "time": 0.0 }, { "name": "antisandbox_threattrack_files", "time": 0.0 }, { "name": "antivm_bochs_keys", "time": 0.0 }, { "name": "antivm_generic_bios", "time": 0.0 }, { "name": "antivm_generic_diskreg", "time": 0.001 }, { "name": "antivm_hyperv_keys", "time": 0.0 }, { "name": "antivm_parallels_keys", "time": 0.001 }, { "name": "antivm_recentdocs", "time": 0.0 }, { "name": "antivm_vbox_devices", "time": 0.001 }, { "name": "antivm_vbox_files", "time": 0.003 }, { "name": "antivm_vbox_keys", "time": 0.003 }, { "name": "antivm_vmware_devices", "time": 0.0 }, { "name": "antivm_vmware_files", "time": 0.001 }, { "name": "antivm_vmware_keys", "time": 0.002 }, { "name": "antivm_vmware_mutexes", "time": 0.0 }, { "name": "antivm_vpc_files", "time": 0.0 }, { "name": "antivm_vpc_keys", "time": 0.001 }, { "name": "antivm_vpc_mutex", "time": 0.0 }, { "name": "antivm_xen_keys", "time": 0.001 }, { "name": "ketrican_regkeys", "time": 0.001 }, { "name": "bitcoin_opencl", "time": 0.0 }, { "name": "enumerates_physical_drives", "time": 0.0 }, { "name": "bot_russkill", "time": 0.0 }, { "name": "browser_addon", "time": 0.0 }, { "name": "chromium_browser_extension_directory", "time": 0.0 }, { "name": "browser_helper_object", "time": 0.0 }, { "name": "browser_security", "time": 0.0 }, { "name": "browser_startpage", "time": 0.0 }, { "name": "executes_headless_browser", "time": 0.0 }, { "name": "suspicious_browser_arguments", "time": 0.0 }, { "name": "ie_disables_process_tab", "time": 0.0 }, { "name": "odbcconf_bypass", "time": 0.0 }, { "name": "squiblydoo_bypass", "time": 0.0 }, { "name": "squiblytwo_bypass", "time": 0.0 }, { "name": "bypass_chromium_protection", "time": 0.0 }, { "name": "bypass_firewall", "time": 0.001 }, { "name": "checks_uac_status", "time": 0.0 }, { "name": "uac_bypass_cmstpcom", "time": 0.0 }, { "name": "uac_bypass_delegateexecute_sdclt", "time": 0.0 }, { "name": "uac_bypass_fodhelper", "time": 0.0 }, { "name": "cape_extracted_content", "time": 0.0 }, { "name": "clears_logs", "time": 0.0 }, { "name": "cmdline_obfuscation", "time": 0.0 }, { "name": "cmdline_switches", "time": 0.0 }, { "name": "cmdline_terminate", "time": 0.0 }, { "name": "cmdline_forfiles_wildcard", "time": 0.0 }, { "name": "cmdline_http_link", "time": 0.0 }, { "name": "cmdline_long_string", "time": 0.0 }, { "name": "cmdline_reversed_http_link", "time": 0.0 }, { "name": "long_commandline", "time": 0.0 }, { "name": "powershell_renamed_commandline", "time": 0.0 }, { "name": "copies_self", "time": 0.0 }, { "name": "credwiz_credentialaccess", "time": 0.0 }, { "name": "enables_wdigest", "time": 0.0 }, { "name": "vaultcmd_credentialaccess", "time": 0.0 }, { "name": "file_credential_store_access", "time": 0.0 }, { "name": "file_credential_store_write", "time": 0.0 }, { "name": "kerberos_credential_access_via_rubeus", "time": 0.0 }, { "name": "registry_credential_dumping", "time": 0.0 }, { "name": "registry_credential_store_access", "time": 0.0 }, { "name": "registry_lsa_secrets_access", "time": 0.0 }, { "name": "comsvcs_credentialdump", "time": 0.0 }, { "name": "cryptomining_stratum_command", "time": 0.0 }, { "name": "deepfreeze_mutex", "time": 0.0 }, { "name": "deletes_executed_files", "time": 0.0 }, { "name": "disables_app_launch", "time": 0.0 }, { "name": "disables_auto_app_termination", "time": 0.0 }, { "name": "disables_appv_virtualization", "time": 0.0 }, { "name": "disables_backups", "time": 0.001 }, { "name": "disables_browser_warn", "time": 0.001 }, { "name": "disables_context_menus", "time": 0.0 }, { "name": "disables_cpl_disable", "time": 0.0 }, { "name": "disables_crashdumps", "time": 0.0 }, { "name": "disables_event_logging", "time": 0.0 }, { "name": "disables_folder_options", "time": 0.0 }, { "name": "disables_notificationcenter", "time": 0.0 }, { "name": "disables_power_options", "time": 0.001 }, { "name": "disables_restore_default_state", "time": 0.0 }, { "name": "disables_run_command", "time": 0.0 }, { "name": "disables_smartscreen", "time": 0.0 }, { "name": "disables_startmenu_search", "time": 0.0 }, { "name": "disables_system_restore", "time": 0.0 }, { "name": "disables_uac", "time": 0.0 }, { "name": "disables_wer", "time": 0.0 }, { "name": "disables_windows_defender", "time": 0.0 }, { "name": "disables_windows_defender_logging", "time": 0.0 }, { "name": "removes_windows_defender_contextmenu", "time": 0.0 }, { "name": "removes_windows_defender_updates", "time": 0.0 }, { "name": "windows_defender_powershell", "time": 0.0 }, { "name": "disables_windows_file_protection", "time": 0.0 }, { "name": "disables_windowsupdate", "time": 0.0 }, { "name": "disables_winfirewall", "time": 0.0 }, { "name": "folder_enumeration", "time": 0.001 }, { "name": "discover_registry_mount_points", "time": 0.0 }, { "name": "adfind_domain_enumeration", "time": 0.0 }, { "name": "domain_enumeration_commands", "time": 0.0 }, { "name": "driver_filtermanager", "time": 0.0 }, { "name": "dropper", "time": 0.0 }, { "name": "dll_archive_execution", "time": 0.0 }, { "name": "lnk_archive_execution", "time": 0.0 }, { "name": "script_archive_execution", "time": 0.0 }, { "name": "excel4_macro_urls", "time": 0.0 }, { "name": "escalate_privilege_via_ntlm_relay", "time": 0.0 }, { "name": "spooler_access", "time": 0.0 }, { "name": "spooler_svc_start", "time": 0.0 }, { "name": "mapped_drives_uac", "time": 0.0 }, { "name": "hides_recycle_bin_icon", "time": 0.0 }, { "name": "infostealer_bitcoin", "time": 0.004 }, { "name": "infostealer_ftp", "time": 0.01 }, { "name": "infostealer_im", "time": 0.006 }, { "name": "infostealer_mail", "time": 0.003 }, { "name": "Evade_Execution_Via_ASPNet_Compiler", "time": 0.0 }, { "name": "Evade_Execute_Via_DeviceCredentialDeployment", "time": 0.0 }, { "name": "Evade_Execution_Via_Filter_Manager_Control", "time": 0.0 }, { "name": "Evade_Execution_Via_Intel_GFXDownloadWrapper", "time": 0.0 }, { "name": "execute_binary_via_appvlp", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_OpenSSH", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_PesterPSModule", "time": 0.0 }, { "name": "Execute_Binary_Via_ScriptRunner", "time": 0.0 }, { "name": "execute_binary_via_ttdinject", "time": 0.0 }, { "name": "Execute_Binary_Via_VisualStudioLiveShare", "time": 0.0 }, { "name": "Execute_Msiexec_Via_Explorer", "time": 0.0 }, { "name": "execute_remote_msi", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_runscripthelper", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_sqlps", "time": 0.0 }, { "name": "Indirect_Command_Execution_Via_ConsoleWindowHost", "time": 0.0 }, { "name": "Perform_Malicious_Activities_Via_Headless_Browser", "time": 0.0 }, { "name": "Register_DLL_Via_CertOC", "time": 0.0 }, { "name": "Register_DLL_Via_MSIEXEC", "time": 0.0 }, { "name": "Register_DLL_Via_Odbcconf", "time": 0.0 }, { "name": "Scriptlet_Proxy_Execution_Via_Pubprn", "time": 0.0 }, { "name": "ie_martian_children", "time": 0.0 }, { "name": "office_martian_children", "time": 0.0 }, { "name": "mimics_icon", "time": 0.0 }, { "name": "masquerade_process_name", "time": 0.006 }, { "name": "mimikatz_modules", "time": 0.0 }, { "name": "ms_office_cmd_rce", "time": 0.0 }, { "name": "mount_copy_to_webdav_share", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_legit_utilities", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_qemu", "time": 0.0 }, { "name": "suspicious_execution_via_dotnet_remoting", "time": 0.0 }, { "name": "modify_certs", "time": 0.0 }, { "name": "dotnet_clr_usagelog_regkeys", "time": 0.0 }, { "name": "modify_hostfile", "time": 0.0 }, { "name": "modify_oem_information", "time": 0.0 }, { "name": "modify_security_center_warnings", "time": 0.0 }, { "name": "modify_uac_prompt", "time": 0.0 }, { "name": "network_dns_blockchain", "time": 0.0 }, { "name": "network_dns_opennic", "time": 0.0 }, { "name": "network_dns_paste_site", "time": 0.0 }, { "name": "network_dns_reverse_proxy", "time": 0.0 }, { "name": "network_dns_temp_file_storage", "time": 0.0 }, { "name": "network_dns_temp_urldns", "time": 0.0 }, { "name": "network_dns_url_shortener", "time": 0.0 }, { "name": "network_dns_doh_tls", "time": 0.0 }, { "name": "suspicious_tld", "time": 0.0 }, { "name": "network_tor_service", "time": 0.0 }, { "name": "office_code_page", "time": 0.0 }, { "name": "office_addinloading", "time": 0.0 }, { "name": "office_perfkey", "time": 0.0 }, { "name": "office_macro", "time": 0.0 }, { "name": "changes_trust_center_settings", "time": 0.0 }, { "name": "disables_vba_trust_access", "time": 0.0 }, { "name": "office_macro_autoexecution", "time": 0.0 }, { "name": "office_macro_ioc", "time": 0.0 }, { "name": "office_macro_malicious_prediction", "time": 0.0 }, { "name": "office_macro_suspicious", "time": 0.0 }, { "name": "rtf_aslr_bypass", "time": 0.0 }, { "name": "rtf_anomaly_characterset", "time": 0.0 }, { "name": "rtf_anomaly_version", "time": 0.0 }, { "name": "rtf_embedded_content", "time": 0.0 }, { "name": "rtf_embedded_office_file", "time": 0.0 }, { "name": "rtf_exploit_static", "time": 0.0 }, { "name": "office_security", "time": 0.0 }, { "name": "accesses_office_username", "time": 0.0 }, { "name": "office_anomalous_feature", "time": 0.0 }, { "name": "office_dde_command", "time": 0.0 }, { "name": "packer_armadillo_mutex", "time": 0.0 }, { "name": "packer_armadillo_regkey", "time": 0.0 }, { "name": "persistence_ads", "time": 0.0 }, { "name": "persistence_safeboot", "time": 0.0 }, { "name": "persistence_ifeo", "time": 0.0 }, { "name": "persistence_silent_process_exit", "time": 0.0 }, { "name": "persistence_rdp_registry", "time": 0.0 }, { "name": "persistence_rdp_shadowing", "time": 0.0 }, { "name": "persistence_service", "time": 0.0 }, { "name": "persistence_shim_database", "time": 0.0 }, { "name": "powershell_scriptblock_logging", "time": 0.0 }, { "name": "powershell_command_suspicious", "time": 0.0 }, { "name": "powershell_history_save_mod", "time": 0.0 }, { "name": "powershell_renamed", "time": 0.0 }, { "name": "powershell_reversed", "time": 0.0 }, { "name": "powershell_variable_obfuscation", "time": 0.0 }, { "name": "prevents_safeboot", "time": 0.0 }, { "name": "cmdline_process_discovery", "time": 0.0 }, { "name": "ransomware_extensions_generic", "time": 0.0 }, { "name": "ransomware_extensions_known", "time": 0.002 }, { "name": "ransomware_files", "time": 0.004 }, { "name": "ransomware_recyclebin", "time": 0.0 }, { "name": "ransomware_revil_regkey", "time": 0.0 }, { "name": "reads_password_database", "time": 0.0 }, { "name": "recon_fingerprint", "time": 0.001 }, { "name": "rdptcp_key", "time": 0.0 }, { "name": "uses_rdp_clip", "time": 0.0 }, { "name": "uses_remote_desktop_session", "time": 0.0 }, { "name": "removes_networking_icon", "time": 0.0 }, { "name": "removes_pinned_programs", "time": 0.0 }, { "name": "removes_security_maintenance_icon", "time": 0.0 }, { "name": "removes_startmenu_defaults", "time": 0.0 }, { "name": "removes_username_startmenu", "time": 0.0 }, { "name": "sniffer_winpcap", "time": 0.0 }, { "name": "spreading_autoruninf", "time": 0.0 }, { "name": "stealth_hidden_extension", "time": 0.0 }, { "name": "stealth_hiddenreg", "time": 0.0 }, { "name": "stealth_hide_notifications", "time": 0.0 }, { "name": "stealth_webhistory", "time": 0.0 }, { "name": "sysinternals_psexec", "time": 0.0 }, { "name": "sysinternals_tools", "time": 0.0 }, { "name": "language_check_registry", "time": 0.0 }, { "name": "tampers_etw", "time": 0.0 }, { "name": "lsa_tampering", "time": 0.0 }, { "name": "tampers_powershell_logging", "time": 0.0 }, { "name": "territorial_disputes_sigs", "time": 0.008 }, { "name": "uses_adfind", "time": 0.0 }, { "name": "uses_ms_protocol", "time": 0.0 }, { "name": "owa_web_shell_files", "time": 0.0 }, { "name": "web_shell_files", "time": 0.0 }, { "name": "web_shell_processes", "time": 0.0 }, { "name": "dotnet_csc_build", "time": 0.0 }, { "name": "mavinject_lolbin", "time": 0.0 }, { "name": "multiple_explorer_instances", "time": 0.0 }, { "name": "script_tool_executed", "time": 0.0 }, { "name": "suspicious_certutil_use", "time": 0.0 }, { "name": "suspicious_command_tools", "time": 0.0 }, { "name": "suspicious_mpcmdrun_use", "time": 0.0 }, { "name": "suspicious_ping_use", "time": 0.0 }, { "name": "uses_powershell_copyitem", "time": 0.0 }, { "name": "uses_windows_utilities", "time": 0.0 }, { "name": "uses_windows_utilities_appcmd", "time": 0.0 }, { "name": "uses_windows_utilities_csvde_ldifde", "time": 0.0 }, { "name": "uses_windows_utilities_cipher", "time": 0.0 }, { "name": "uses_windows_utilities_clickonce", "time": 0.0 }, { "name": "uses_windows_utilities_curl", "time": 0.0 }, { "name": "uses_windows_utilities_dsquery", "time": 0.0 }, { "name": "uses_windows_utilities_esentutl", "time": 0.0 }, { "name": "uses_windows_utilities_finger", "time": 0.0 }, { "name": "uses_windows_utilities_mode", "time": 0.0 }, { "name": "uses_windows_utilities_ntdsutil", "time": 0.0 }, { "name": "uses_windows_utilities_nltest", "time": 0.0 }, { "name": "uses_windows_utilities_setx", "time": 0.0 }, { "name": "uses_windows_utilities_xcopy", "time": 0.0 }, { "name": "wmic_command_suspicious", "time": 0.0 }, { "name": "scrcons_wmi_script_consumer", "time": 0.0 } ], "reporting": [ { "name": "BinGraph", "time": 0.0 } ] }, "target": { "category": "file", "file": { "name": "TD DDF.pdf", "path": "/opt/CAPEv2/storage/binaries/1abdbd9f3447644fa5bd670b3d5c7bd72a1c88f9790da429c0edeab1d93cf8b9", "guest_paths": "", "size": 166416, "crc32": "0E2B6928", "md5": "f1e834ec4750fc3116987bb0681223bd", "sha1": "95b69c0475cffe58e8b41445e36de30b2e85d94f", "sha256": "1abdbd9f3447644fa5bd670b3d5c7bd72a1c88f9790da429c0edeab1d93cf8b9", "sha512": "a20b0a2b30f37145db1a5180afbc2be7285fafc8d4301d68641bd959d8dcf85a4346f02a36477b4d1af639bd78490ed054a7ac7a3ab1c32b1d477621ea65d3de", "rh_hash": null, "ssdeep": "3072:8n0gY4zbPYBXAA9wooSPeLjYPojd60UwqfEMHDEUL+j:80gY4wz9wooSCYIAWAEMHDEn", "type": "PDF document, version 1.5, 7 page(s) (zip deflate encoded)", "yara": [ { "name": "multiple_versions", "meta": { "author": "Glenn Edwards (@hiddenillusion)", "version": "0.1", "description": "Written very generically and doesn't hold any weight - just something that might be useful to know about to help show incremental updates to the file being analyzed", "weight": 1 }, "strings": [ "%PDF", "trailer", "%%EOF" ], "addresses": { "magic": 0, "s0": 166244, "s1": 166411 } } ], "cape_yara": [], "clamav": [], "tlsh": "T1EDF3F12D4A9DBDDFF32187C00A2B7D49356E3076F9C42349162EC75681B4A7E442798B", "sha3_384": "37b7c4aaedf4229e6b3ac1632e0ad9b1813bb091a9b1334f81ff34b928f546053e8809d2ccb9b52d9aabdb51cc3d2c36", "yara_hash": "68e243d1d9aeb1f1e94057af9823c58e140832514ed3e7b46b181bf94e4e12ce", "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a", "data": null, "strings": [ "0000000075 65535 f", "20 0 obj", ".p5$CW", "P%2.'2", "7 0 obj", "xTY.Qo*", "M:tKSmT", "d6r;V", "+%3-A", "Yuu7.", "r3of-", "Tt:|4zK", "'&4yR", "0000000105 65535 f", "99*4&", "X9o1N$", "0000000123 65535 f", "0000000065 65535 f", "4 0 obj", "0000000071 65535 f", "0000000057 65535 f", "Microsoft", "l-\\Y.", "0000000027 65535 f", "}2]MG", "\\D0+\"`", "Op-Fh", "0000000077 65535 f", "0000000137 65535 f", "0000000048 65535 f", "e#{F.W.l", "0000000079 65535 f", "hWKKM+S3", "Kc0Q^", "0000000097 65535 f", "ezYD:", "N/bQz", "K/Id} ]", "=->!-", "jMb;ly", "\\=-WW", "0000000217 65535 f", "l~jN1", "0000001622 00000 n", "x.z.%\\s&M", "I,I,O", "xA-!;;", "UN@/F", "CMn;&E", "CvH8D", ";O3^m", "0000000062 65535 f", "228 0 obj", "?hPV{", ";\"Vc}>", "^=(}{", "0000000196 65535 f", "0000000146 65535 f", "5hxr$fG", "vt`#:", "WC}oR.", "i5:iO", "yI1kK", "1<%<-<#<3<+|c", "0000000100 65535 f", "5 0 obj", "Vy5TW-", "0000000017 00000 n", "<>", "0000000035 65535 f", "cDJDZDFDfDV", "KmX\\/z", "SDvJF", "\\\"2DB.", "x5\"r^", "H]?^1", "0000000076 65535 f", "$BRA\"$)", "htUtAt5~", "0000000156 65535 f", "0000000162 65535 f", "5O5+Z", "MI~Y~", "<>", "0000000164 65535 f", "6) /CreationDate(D:20260628171817-07'00') /ModDate(D:20260628171817-07'00') /Producer(", "B.-G>s", "\"5|k|", "Jg~9_", "6*|jl\\", "0000000220 65535 f", "<>/ExtGState<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>>", ">ynKWF8F", "%%EOF", "s(duy", "]A;skA", "0000000070 65535 f", "mihgC", "/STO(", "d9l-[", "9Z{;xW", "`.iEH9", "_C7Gb", "0000000173 65535 f", "U99sBn", "FrtSwL&[", "kp\"=j", "0000000486 00000 n", "0000000111 65535 f", "FZ[QX", "0000000129 65535 f", "^}yd=F", "h-ZCI", "h[:iF", ";m\\fD", "<>", "s0Ox(f", "0NxC ", "|y>)y", "}*Yg6", "_fo>-", "0000000080 65535 f", ".3uLT", "0000000058 65535 f", "0000000098 65535 f", "&&\\1=", "tc|7ielL;^", "+Xn6{", "0000000143 65535 f", "0000003540 00000 n", "*T-TK", "|s(2C", "mlhcC", "%PDF-1.5", "Dq3/Jk", "$oF9]", "o4XD',", "0000000051 65535 f", "%kQYy", "iaK<-T", "0000000102 65535 f", "0000000134 65535 f", "IHNBf", "0000000031 65535 f", "Ep.bt[", "0000003806 00000 n", "g)#)f$", "y>Q?/", ").^UJe", "g[~\\~", "m|_,i&2-[", "0!\\U419", "gLa5~", "2@[?@", "0000000081 65535 f", "wh0\\z", "R>nJ_", "w8|&.j", "*`,VW", "v$84<", "vDv6j", "`^(2w", "0000000210 65535 f", "[ 226 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 507 0 0 0 0 0 0 268 0 0 0 0 0 0 579 0 0 0 0 0 0 0 252 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 479 0 423 525 498 305 0 0 230 0 455 230 799 525 527 0 0 349 391 335 0 452] ", "8~=Pr}", "0000000095 65535 f", "trailer", "<>", "=mOHh'", "0000000024 65535 f", "X&vKo,", "C5AeH", "0000000165 65535 f", "<>/ExtGState<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 16 0 R/Group<>/Tabs/S/StructParents 4>>", "gd~(Rl", "0000000125 00000 n", "K9{KD", "@%%D{/", "R,L<(", "0000000050 65535 f", "<^Z!2", "[TstS", "0000000144 65535 f", "oNlZl", "B]!~SW", ">+4]<", "*i!A-", "9Rh81G", "z3X[k", "UVf&S", "}h~o;", "aVr~x=", "0000000155 65535 f", "NUWW}u", "V:Q|k", "1Ag0{", "0000000142 65535 f", "0000000000 65535 f", "G1>)c", "m|y|9", "vz\"g7", "0000000121 65535 f", "!c1d,", "Lg&jNc", "22!L&", "WG2BiH", "0000005415 00000 n", "zU\"n{", "QZ1\"c", "y5%yJi", "ey8a_", "0000000215 65535 f", "J;caSZm@O", "Kf_Kf", "0000000218 65535 f", "0000000033 65535 f", "<] >>", "<>", "J\\cmZ", "X?Zyv", ">#BriI[", "6) >>", "3*YJ5", "a2\"LF", "0000000168 65535 f", "82_ZHy", "_\"sMY`", "((:yz\\d4", "fvN2+", "0000000206 65535 f", "0000000022 65535 f", "aY-[7", "R9Z^ ", "0000000042 65535 f", "18 0 obj", ":~YOc-i", "PN\"7xM", "'h>\\N", "*6[", "9I|z'L", "*BcBcC", "BG8S}", "yG|'y", "2 0 obj", "6tc;z", "IrRi\\^", "wr(eN", "0000004465 00000 n", "0000000180 65535 f", "<>", "%Ke4T\"", "0000000159 65535 f", "'q2q&q", "c$5L6", "KIFWW", "62~*[k", "}R}Dc", "k,o+m%", "k9tp\\", "f|E$0", "v*b,B", "+OCZXT", "`4X-k", "2UM2U", "l~oqD", "0000000130 65535 f", "0000000140 65535 f", "0000000183 65535 f", "j2\";`", "SQJE)", "t:3c#t", "0000000063 65535 f", "l,[#E", "%3%3p", "Kz}", "0000000127 65535 f", "2c@.3", "c/o4n", "+ocVde", "5Vwxj", "&rQ9'Q:Q", "v#3&S", "-GS39F", "I?,O)", "HQZ5\\", "0000000190 65535 f", "0000000219 65535 f", "6 0 obj", "endstream", "t]oj/", "r.7", "rzdefx", "", "166233", "f1;/f", "0000000194 65535 f", "uE]VF", "1v.Et", "b,VHf", "itF7bm", "0000000136 65535 f", "7@3IOB", "KrY]N", "Oq/KN", "\\v2T,", "0000000195 65535 f", "0*8I7", "(#2BBj", "7-'m`", "tIDjhQ", "]AkY[v", "\"/ywr", "keopO", "DAAT$", "FOD'z[", "14 0 obj", "0000000225 65535 f", "~eUcUKU+", "I5", "-`X)6", "_g=yc", "&X(=TAD", "|cLSoN&", "]F4_h", "aI[LK", "3pA:%", "s}NZa", "0000000222 00000 n", "0000000069 65535 f", "t6;o9o;", "8 0 obj", "F&LJX", "TGCM1", "419|JlZ", "0000000131 65535 f", "Z?j+Za", "0000001329 00000 n", ",/3Qr", "wt;\"~!", "7+nQ|Jq;", "uHkiH", "F6]k9J", "28 0 obj", "0000000171 65535 f", "|m5_[", "0000000114 65535 f", "g$q0=", "6#Mwu", "b<<&&", "<>/ExtGState<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 10 0 R/Group<>/Tabs/S/StructParents 1>>", "Hc7+\"", "LQ8ST", "0000000175 65535 f", "AO%Jp", "0000000106 65535 f", "<] /Prev 161473/XRefStm 160818>>", "MTYmV[", "~@S`9", "mFWot", "0000000066 65535 f", "=VTJw", "mzY?|", "lk9p&\\{W", "0000000122 65535 f", "SKSMx", "-|f\\iN4", "0000000089 65535 f", "5|&.3", "Z+Ckeh", "MfK`N", "r2L9F9", "p[2Of", "@E-pX", "\\i[9j", "Tuos*", "gNw32", "0000000115 65535 f", "0000000118 65535 f", "eX2x%A", "]{^nUX`", "YY4Kg", "oGGGG", "|5_Mi|", "16 0 obj", "{81>Q", "w )E{'\\", "C^~#3", "KGJ}1", "0000000101 65535 f", "w]B>A", "0000000208 65535 f", "u/+5*", "<;3:", "b;i|P", "+PD3Z", ".>W^j.", "*RYY1@", "..&.2<%", "$f%vH", "-1jQb", "c_=~D", "0000000061 65535 f", "{+Dt^", "=6S1j", " V!nB", "nL%y+", "t]wI=%u", "*Q]U7", "^b/A|", "EGxPt", "0000000036 65535 f", "0000000158 65535 f", "0000000086 65535 f", ")}MRl", "0000006332 00000 n", "161473", "s%\"X)qV", "IQz4S", "kIIJR", "jrq^=", "-hE%c", "$190Xb", "U@_5Z", "Pj*ut", "R)I:H", "kgD%V", "8I:^(/", "YqJ4d", "0000000147 65535 f", "(599Y", "0000000172 65535 f", "0000000039 65535 f", "w}YD4", "\\h~c.2", "xYDGC", "Q,7`3", "]y3PE]", "^TF> ", "0000000120 65535 f", "oXE^_E", "3&gMFL.", "m96wl", "R|5B/", "0000000047 65535 f", "<>", "0000000052 65535 f", "T0]0K", ">/ExtGState<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 18 0 R/Group<>/Tabs/S/StructParents 5>>", "0000000096 65535 f", "yfY\"B%M", "1loXvXN", ",YEVCy", "oQmU;", "g&So!", ",u*+5", "^GO_9", "227 0 obj", "0000000207 65535 f", "v:+J{", "J2%6'_HlA", "4S_SM", ",\\yS\\y+\\y", "J12O1", "pWx(|NK", "0000000103 65535 f", "0000000176 65535 f", "!2XHd", "[~Ie~I5", "9\\8UW", "0000006598 00000 n", "*kjZS", "M!u~kV", "\"*~*Qc0", "0000000133 65535 f", "if'_N", "834g>", "r9Y.'", "<>", "pg\\a/", "Cu>", "~b+}<%3;", "Fj+t=", "5WZJv", "UPZPjF", "cM\\C|xv", "0000000205 65535 f", "mm/n-", "}7}w|", "tE>,v5", "0000000141 65535 f", "0000000054 65535 f", "!1jBb", "/P1\"H", "IR/e-(8", "kOKF=", "bqV!e", "<>/ExtGState<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 14 0 R/Group<>/Tabs/S/StructParents 3>>", "0000000043 65535 f", "/n4^?", "0000000182 65535 f", "LcSN7", "R}`@A", "0000000072 65535 f", "* Y,&s", "2^#j]", "0000000124 65535 f", "cnll}", "/mF2j$c", "`k`{`", "{Qdv^+g", "p7jLC7]@Q", "jS`N:", "0000000053 65535 f", "`&R/{", "0000000222 65535 f", "3n'5RS", "*\\nH?", "ry/{g{", "EyNy^y!X", "bAW0$", "TQGj|<", "0000000026 65535 f", "0000000139 65535 f", "|dxbxfX", "FQd>cn", "blm)[S", "on^_bn^_", "KC}rdt", "(h6pP", "U1rP1rH1rX1rD1rT1", "+>cpc", "yz&}o", "0000000028 65535 f", "0000000160 65535 f", "stream", "j)fKQ%E", "<>", "<] /Filter/FlateDecode/Length 452>>", "0000009932 00000 n", "%T8", "\"$+At", "O$.H\\", "0000000153 65535 f", "6KX=U", "Vt=Po", "V-rq5", "uc,;T", "OwQbpw", "R5(FX", "19 0 obj", "+@~=l", "DTF4&", "o59dp", "0000000161 65535 f", "P.!S~", "<>", "c[:~Rg", "~dbdG", "Jbk2Ob", "$9+Nwf", "(W^zf?", ";yX~/", "#O*>Z'", "0000000025 65535 f", "<>", "7+^s~a", "MTETIt2", "6Z5:3", "*SeQ}H95", "0000000200 65535 f", "Y{J^-=", "0000000152 65535 f", "MHFh}", "Zbmjn", "0000000213 65535 f", "0000000110 65535 f", "MfD87Nk", "P5OZ+", "0000000034 65535 f", "=m0u:", "0000000221 65535 f", "J$J g1s", ")Ff)Ff+F>W", " Word 201", "G{c\\H", "i!oB*q", "c<@+=Z", "IIyIyL", "t!Uu!=w!", "0000000029 65535 f", "p[l46", "Y_[Us", "VTGae", "9f&+>9>", "mbOy,", "qjv@I", "Seh.\"", "@uHWf*(", "0000000151 65535 f", "0000000091 65535 f", "10 0 obj", "umDmkcy", "0000000067 65535 f", "9Eo8y", "kS,=k", ")m|N2", "5f(+2", "0000000169 65535 f", "~%&Pu", "8GV0O", "xVV<++", "#Q_Z@f", "NW1(-", "0000009694 00000 n", "]iWXJ", "cxjfs|", ":G^;P", "2W\\If", "hZ4M>", "qCY>", "0000001160 00000 n", "0000000060 65535 f", "uoSFx#-", "^e-IY", " L", "Yz9K/", "0000000166 65535 f", "Odu&G", "21 0 obj", "zSLCTG", "0000005681 00000 n", "jR1lr1", "$%Z6Z", "Sd{9@4", "0\"\" Bd", "2,pE#", "b1by0", "g 9Ogr", "A%y%y", "pNT}o", "[X#?`Y", "T%9UINU", "?t(t$", "2m?2!E", "0000000044 65535 f", "`?(7f", ">i^N}", "0000000149 65535 f", "&ugSbz", "gcXLlLRL ", "/.29ijRL", "0000000198 65535 f", "0000000119 65535 f", "T4Ejs", "0000002613 00000 n", "0000000138 65535 f", "0000000167 65535 f", ",v>`Y", "xe[eGewe_", "0000000177 65535 f", "k>?0c", "<>", "=)PKq", "0000000094 65535 f", "vu{Q7", "0000000179 65535 f", "0000001940 00000 n", "n:u%Y", "Ia;>Q", "0000000099 65535 f", "#r=V&", "0000000188 65535 f", "0000000214 65535 f", "?|w)|", "0000002879 00000 n", "Kh5i7", "kF{nG", "GZ`vp", "O`h`|`F`q`]`k`o", "Bu/'?", "0000000109 65535 f", "WkDi)G", "9 0 obj", "0000000078 65535 f", "0000000192 65535 f", "0000000197 65535 f", "0000000212 65535 f", "0000000216 65535 f", "15 0 obj", "2wr%#W?", "VuT]UO", "0000000032 65535 f", "0000000150 65535 f", "YE'^X?", "0000000041 65535 f", "y2E?_i9", "\"cYGt", "3 0 obj", "FPH#(", "$*1Wd", "0000000189 65535 f", "{?U!s", "0000000056 65535 f", "<>/ExtGState<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 20 0 R/Group<>/Tabs/S/StructParents 6>>", "Njz{>hV", "2$y&\"W", "1 0 obj", "\\J?H#", "0000000223 65535 f", "Od}3|dMd", "0000000185 65535 f", "0000000059 65535 f", "BlOg{", "AcmY;", "0000000125 65535 f", "%E*%\\*", "y*_n^", "0000000064 65535 f", "fWf[j<5U3", "}fe6F", "\\N1}X?", "aMX{6", "0000000083 65535 f", "yVS>L", "`&YHX", "endobj", "be/7o", "0Jy;T", "K*M*", "7lsz'b~W8", "VFP+#2", "y3P)/", ">)-)C", "0000001675 00000 n", "0000000128 65535 f", "((nb\"", "0000000073 65535 f", "+Vzul", "0000000174 65535 f", "s9>'*L", "s1)7)", "0000000084 65535 f", "nCr'5", "0000000148 65535 f", "9RD8-", "J)9MCK", "x^\\xy9y9\"//", "0000000191 65535 f", "lm(-jU", "}^lDo", "0jG_'C", "<>/ExtGState<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 12 0 R/Group<>/Tabs/S/StructParents 2>>", "Tr5Y@^ ", "hg^+?2", "0000000090 65535 f", "0000000112 65535 f", "0000000126 65535 f", "8qJks[", "0000000211 65535 f", "0000000224 65535 f", "RkH@t", "LH0h3", "@eldE6", "1W@+h", "| :+99", "^goq+", "4#?I3", ",1`@?", "<>>>", "0000001569 00000 n", " qTRz", "Y'GH8", "\"5e]l4", "0ox3PE/", "E;-5A", "r*v:pv", "Ed'@Xd", "7b]c)", "r uQ=+u!l", "\\%-Um", "Ohhh|hFhqh]hkho", "R$?iF~", "0000007145 00000 n", "RO `WImKm", "i?fJ," ], "virustotal": { "error": true, "msg": "Unable to complete connection to VirusTotal. Status code: 429" }, "executed_tools": [ "msi_extract", "overlay", "kixtart_extract", "vbe_extract", "batch_extract", "UnAutoIt_extract", "UPX_unpack", "RarSFX_extract", "Inno_extract", "SevenZip_unpack", "de4dot_deobfuscate", "eziriz_deobfuscate", "office_one" ], "cape_type_code": 0, "cape_type": "" } }, "CAPE": { "payloads": [], "configs": [] }, "info": { "version": "2.5", "started": "2026-06-29 10:08:46", "ended": "2026-06-29 10:09:28", "duration": 42, "id": 17, "category": "file", "custom": "", "machine": { "id": 17, "status": "stopping", "name": "win10", "label": "win10", "platform": "windows", "manager": "KVM", "started_on": "2026-06-29 10:08:46", "shutdown_on": "2026-06-29 10:09:27" }, "package": "pdf", "timeout": false, "tlp": null, "parent_sample": null, "options": {}, "source_url": null, "route": "internet", "user_id": 0, "CAPE_current_commit": "394455c2cd85889fb0782bfcf1f8c5c2f7f77b46" }, "behavior": { "processes": [ { "process_id": 3412, "process_name": "AcroRd32.exe", "parent_id": 2892, "module_path": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\AcroRd32.exe", "first_seen": "2026-06-28 21:56:14,980", "calls": [ { "timestamp": "2026-06-28 21:56:15,215", "thread_id": "3636", "caller": "0x76fac348", "parentcaller": "0x76f66431", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000054" } ], "repeated": 0, "id": 0 }, { "timestamp": "2026-06-28 21:56:15,215", "thread_id": "3636", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1 }, { "timestamp": "2026-06-28 21:56:15,215", "thread_id": "3636", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-06-28 21:56:15,215", "thread_id": "2296", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3 }, { "timestamp": "2026-06-28 21:56:15,215", "thread_id": "2296", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-06-28 21:56:15,215", "thread_id": "2520", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5 }, { "timestamp": "2026-06-28 21:56:15,215", "thread_id": "2520", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-06-28 21:56:15,215", "thread_id": "4744", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7 }, { "timestamp": "2026-06-28 21:56:15,215", "thread_id": "4744", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-06-28 21:56:15,215", "thread_id": "4992", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9 }, { "timestamp": "2026-06-28 21:56:15,215", "thread_id": "4992", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e21324", "parentcaller": "0x00000000", "category": "misc", "api": "HeapCreate", "status": true, "return": "0x04e50000", "arguments": [ { "name": "Options", "value": "0" }, { "name": "InitialSize", "value": "0x00001000" }, { "name": "MaximumSize", "value": "0x00000000" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e215c1", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e215df", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "FlsAlloc" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75151e20" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e215ec", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "FlsGetValue" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7514e770" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e215f9", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "FlsSetValue" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x751511e0" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e21606", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "FlsFree" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75152050" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e21e83", "parentcaller": "0x00e21711", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00ed7ad2", "parentcaller": "0x00000000", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x006a1032", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\AcroRd32.exe\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf\"" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e2279d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e51000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e21d9d", "parentcaller": "0x00e21c4f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e52000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e24d9e", "parentcaller": "0x00e22dce", "category": "hooking", "api": "SetUnhandledExceptionFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "ExceptionFilter", "value": "0x00eded03" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e259d0", "parentcaller": "0x00e25213", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x006a1032", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\AcroRd32.exe\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf\"" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e26881", "parentcaller": "0x00e6c6b6", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "SHELL32.dll" }, { "name": "BaseAddress", "value": "0x76320000" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e26959", "parentcaller": "0x00e6c6b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x76320000" }, { "name": "FunctionName", "value": "CommandLineToArgvW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7647a0b0" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e25a1f", "parentcaller": "0x00e25213", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e25a1f", "parentcaller": "0x00e25213", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2633b", "parentcaller": "0x00e25a1f", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x006d3688", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\AcroRd32.exe\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf\"" }, { "name": "NumArgs", "value": "2" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e53000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e275b1", "parentcaller": "0x00e2752c", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernel32.dll" }, { "name": "ModuleHandle", "value": "0x75130000" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e275b8", "parentcaller": "0x00e2752c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "IsWow64Process" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x751506e0" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e27615", "parentcaller": "0x00e2752c", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e289b2", "parentcaller": "0x00e2890b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown" }, { "name": "Handle", "value": "0x00000054" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e289f2", "parentcaller": "0x00e2890b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000054" }, { "name": "ValueName", "value": "bProtectedMode" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown\\bProtectedMode" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e28a21", "parentcaller": "0x00e2890b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000054" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e289b2", "parentcaller": "0x00e28928", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2a18e", "parentcaller": "0x00ed7b37", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "sftldr.dll" }, { "name": "ModuleHandle", "value": "0x00efbbb6" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2a199", "parentcaller": "0x00ed7b37", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "sftldr_wow64.dll" }, { "name": "ModuleHandle", "value": "0x00efbbb6" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2543f", "parentcaller": "0x00ed7b37", "category": "windows", "api": "FindWindowA", "status": false, "return": "0x00000000", "arguments": [ { "name": "ClassName", "value": "32770" }, { "name": "WindowName", "value": "_AcroAppTimer" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2a6b2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0" }, { "name": "Handle", "value": "0x000002e4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0" } ], "repeated": 0, "id": 39 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2a89d", "parentcaller": "0x00e2a56f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e4" }, { "name": "ValueName", "value": "bEnableAlternateTempDirectory" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnableAlternateTempDirectory" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2a6b2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2a89d", "parentcaller": "0x00e2a59c", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000006", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "ValueName", "value": "bEnableAlternateTempDirectory" }, { "name": "FullName", "value": "bEnableAlternateTempDirectory" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2aaa5", "parentcaller": "0x00e2a2fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e4" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2a6b2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0" }, { "name": "Handle", "value": "0x000002e4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2a89d", "parentcaller": "0x00e2a56f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e4" }, { "name": "ValueName", "value": "bEnableAlternateLaunchDesktop" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnableAlternateLaunchDesktop" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2a6b2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2a89d", "parentcaller": "0x00e2a59c", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000006", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "ValueName", "value": "bEnableAlternateLaunchDesktop" }, { "name": "FullName", "value": "bEnableAlternateLaunchDesktop" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2aaa5", "parentcaller": "0x00e2abed", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e4" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2a377", "parentcaller": "0x00e25508", "category": "registry", "api": "RegOpenKeyExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Adobe\\Adobe Acrobat\\11.0\\Security" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Adobe\\Adobe Acrobat\\11.0\\Security" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e25519", "parentcaller": "0x00ed7b37", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernel32.dll" }, { "name": "ModuleHandle", "value": "0x75130000" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e25529", "parentcaller": "0x00ed7b37", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "SetProcessDEPPolicy" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75148920" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e25531", "parentcaller": "0x00ed7b37", "category": "process", "api": "NtSetInformationProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessInformationClass", "value": "34", "pretty_value": "ProcessExecuteFlags" }, { "name": "ProcessInformation", "value": "9" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2553c", "parentcaller": "0x00ed7b37", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2554c", "parentcaller": "0x00ed7b37", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "NtSetInformationProcess" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f72b90" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2556a", "parentcaller": "0x00ed7b37", "category": "process", "api": "NtSetInformationProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessInformationClass", "value": "34", "pretty_value": "ProcessExecuteFlags" }, { "name": "ProcessInformation", "value": "13" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2a3e9", "parentcaller": "0x00e255d2", "category": "synchronization", "api": "NtOpenMutant", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "MutexName", "value": "Global\\ARM Update Mutex" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2a411", "parentcaller": "0x00e255d2", "category": "synchronization", "api": "NtOpenMutant", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "MutexName", "value": "Global\\Acro Update Mutex" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2a624", "parentcaller": "0x00e255fe", "category": "windows", "api": "FindWindowW", "status": false, "return": "0x00000000", "arguments": [ { "name": "ClassName", "value": "AdobeAcrobatSpeedLaunchCmdWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2a624", "parentcaller": "0x00e2560a", "category": "windows", "api": "FindWindowW", "status": false, "return": "0x00000000", "arguments": [ { "name": "ClassName", "value": "AdobeReaderSpeedLaunchCmdWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2a7c9", "parentcaller": "0x00e25634", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "42" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3636" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "ntmarta.dll" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ntmarta.dll" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002e8" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ntmarta.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002ec" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000002e8" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\ntmarta.dll" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002ec" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73a30000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00029000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73a55000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73a53000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" } ], "repeated": 0, "id": 71 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e8" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73a53000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\ntmarta.dll" } ], "repeated": 0, "id": 74 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002e8" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ntmarta.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e8" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ntmarta" }, { "name": "DllBase", "value": "0x73a30000" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\ntmarta" }, { "name": "BaseAddress", "value": "0x73a30000" }, { "name": "InitRoutine", "value": "0x73a37e90" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x756e3000" }, { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2565d", "parentcaller": "0x00ed7b37", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x756e3000" }, { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2ade1", "parentcaller": "0x00e2565d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73a55000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2ade1", "parentcaller": "0x00e2565d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73a55000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2bb8a", "parentcaller": "0x00e2b446", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000310" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x00e2c170" }, { "name": "Parameter", "value": "0x04e518d0" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "3536" }, { "name": "ProcessId", "value": "3412" }, { "name": "Module", "value": "AcroRd32.exe" } ], "repeated": 0, "id": 83 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2bb8a", "parentcaller": "0x00e2b446", "category": "threading", "api": "CreateThread", "status": true, "return": "0x00000310", "arguments": [ { "name": "StartRoutine", "value": "0x00e2c170" }, { "name": "ModuleName", "value": "AcroRd32.exe" }, { "name": "Parameter", "value": "0x04e518d0" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "3536" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2af37", "parentcaller": "0x00e2566e", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x006a1032", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\AcroRd32.exe\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf\"" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e26881", "parentcaller": "0x00e6c6db", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ole32.dll" }, { "name": "BaseAddress", "value": "0x754f0000" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3536", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00933000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e26959", "parentcaller": "0x00e6c6db", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ole32.dll" }, { "name": "ModuleHandle", "value": "0x754f0000" }, { "name": "FunctionName", "value": "CoInitializeEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75807f20" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3536", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 89 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x0000001e" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3536", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3536", "caller": "0x00e2c409", "parentcaller": "0x00e2c19d", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 92 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 93 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "kernel.appcore.dll" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000320" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\kernel.appcore.dll" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000324" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74cf0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000f000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 98 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74cfc000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 99 }, { "timestamp": "2026-06-28 21:56:15,230", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 100 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 101 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74cf9000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 102 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 103 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 104 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74cf9000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 105 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore.dll" } ], "repeated": 0, "id": 106 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 107 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 108 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74cf9000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 109 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74cf9000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 110 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x74cf0000" } ], "repeated": 0, "id": 111 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0xffffffffabd62501", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\kernel.appcore" }, { "name": "BaseAddress", "value": "0x74cf0000" }, { "name": "InitRoutine", "value": "0x74cf47e0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 112 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 113 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 114 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "bcryptPrimitives.dll" } ], "repeated": 0, "id": 115 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000324" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x769d0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0005f000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 116 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 117 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 118 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76a2a000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 119 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 120 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76a2a000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 121 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\System32\\bcryptPrimitives.dll" } ], "repeated": 0, "id": 122 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\bcryptPrimitives.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 123 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 124 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x769d0000" } ], "repeated": 0, "id": 125 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 126 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002d4" }, { "name": "ValueName", "value": "STE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE" } ], "repeated": 0, "id": 127 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d4" } ], "repeated": 0, "id": 128 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 129 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d4" }, { "name": "ValueName", "value": "Enabled" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled" } ], "repeated": 0, "id": 130 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa" } ], "repeated": 0, "id": 131 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002d0" }, { "name": "ValueName", "value": "FipsAlgorithmPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 132 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002d4" }, { "name": "ValueName", "value": "MDMEnabled" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled" } ], "repeated": 0, "id": 133 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d4" } ], "repeated": 0, "id": 134 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d0" } ], "repeated": 0, "id": 135 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" } ], "repeated": 0, "id": 136 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002d0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 137 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000002d0" }, { "name": "IoControlCode", "value": "0x00390008", "pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\xa2\\x8a?\\x99:;\\xca\\xb7\\xc1\\x1e\\x1f\\x04\\xd0\\xce\\xc5{b=i:\\x83\\xec\\xab\\xb5\\x0c\\xe6\\xbb\\x1c\\x13\\x04O\\xd4u\\xa8\\xc8\\xea\\xd918R\\xb2\\xe7\\x13y\\xcc\\xb3\\xc4Y" } ], "repeated": 0, "id": 138 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\bcryptprimitives" }, { "name": "BaseAddress", "value": "0x769d0000" }, { "name": "InitRoutine", "value": "0x76a03650" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 139 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75442000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 140 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2becc", "parentcaller": "0x00e2af45", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75442000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 141 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2c409", "parentcaller": "0x00e2ca83", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 142 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2e0d1", "parentcaller": "0x00e2cb0d", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" } ], "repeated": 1, "id": 143 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2a6b2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0" }, { "name": "Handle", "value": "0x000002c8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0" } ], "repeated": 0, "id": 144 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2a89d", "parentcaller": "0x00e2a56f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002c8" }, { "name": "ValueName", "value": "bEnforceReadRestrictions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnforceReadRestrictions" } ], "repeated": 0, "id": 145 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2a6b2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" } ], "repeated": 0, "id": 146 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2a89d", "parentcaller": "0x00e2a59c", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000006", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "ValueName", "value": "bEnforceReadRestrictions" }, { "name": "FullName", "value": "bEnforceReadRestrictions" } ], "repeated": 0, "id": 147 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2aaa5", "parentcaller": "0x00e2aa30", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 148 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2a6b2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0" }, { "name": "Handle", "value": "0x000002c8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0" } ], "repeated": 0, "id": 149 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2a89d", "parentcaller": "0x00e2a56f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002c8" }, { "name": "ValueName", "value": "bEnableGlobalAtomRestrictions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnableGlobalAtomRestrictions" } ], "repeated": 0, "id": 150 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2a6b2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" } ], "repeated": 0, "id": 151 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2a89d", "parentcaller": "0x00e2a59c", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000006", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "ValueName", "value": "bEnableGlobalAtomRestrictions" }, { "name": "FullName", "value": "bEnableGlobalAtomRestrictions" } ], "repeated": 0, "id": 152 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2aaa5", "parentcaller": "0x00e2f62d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 153 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2a6b2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0" }, { "name": "Handle", "value": "0x000002c8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0" } ], "repeated": 0, "id": 154 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2a89d", "parentcaller": "0x00e2a56f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002c8" }, { "name": "ValueName", "value": "bPreventCreatingExecutables" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bPreventCreatingExecutables" } ], "repeated": 0, "id": 155 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2a6b2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" } ], "repeated": 0, "id": 156 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2a89d", "parentcaller": "0x00e2a59c", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000006", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "ValueName", "value": "bPreventCreatingExecutables" }, { "name": "FullName", "value": "bPreventCreatingExecutables" } ], "repeated": 0, "id": 157 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2aaa5", "parentcaller": "0x00e2f7bd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 158 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2a6b2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0" }, { "name": "Handle", "value": "0x000002c8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0" } ], "repeated": 0, "id": 159 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2a89d", "parentcaller": "0x00e2a56f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002c8" }, { "name": "ValueName", "value": "bEnableBinaryPlantingProtection" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnableBinaryPlantingProtection" } ], "repeated": 0, "id": 160 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2a6b2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" } ], "repeated": 0, "id": 161 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2a89d", "parentcaller": "0x00e2a59c", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000006", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "ValueName", "value": "bEnableBinaryPlantingProtection" }, { "name": "FullName", "value": "bEnableBinaryPlantingProtection" } ], "repeated": 0, "id": 162 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2aaa5", "parentcaller": "0x00e2f94d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 163 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2fea2", "parentcaller": "0x00e2fe26", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ADVAPI32.DLL" }, { "name": "BaseAddress", "value": "0x75670000" } ], "repeated": 0, "id": 164 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2fecb", "parentcaller": "0x00e2fe26", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x75670000" }, { "name": "FunctionName", "value": "SystemFunction036" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x73a62a40" } ], "repeated": 0, "id": 165 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2ff2b", "parentcaller": "0x00e2fe26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73a67000" }, { "name": "ModuleName", "value": "CRYPTBASE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 166 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e2ff2b", "parentcaller": "0x00e2fe26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73a67000" }, { "name": "ModuleName", "value": "CRYPTBASE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 167 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e34a2b", "parentcaller": "0x00e347c8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Adobe\\Acrobat Reader\\11.0\\Installer" }, { "name": "Handle", "value": "0x000002c8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Adobe\\Acrobat Reader\\11.0\\Installer" } ], "repeated": 0, "id": 168 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e34a74", "parentcaller": "0x00e347c8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" }, { "name": "ValueName", "value": "Path" }, { "name": "Data", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Adobe\\Acrobat Reader\\11.0\\Installer\\Path" } ], "repeated": 0, "id": 169 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e34ab0", "parentcaller": "0x00e347c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 170 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e34c41", "parentcaller": "0x00e347ea", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\plug_ins\\Test_Tools\\Automation.api" } ], "repeated": 0, "id": 171 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e54000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 172 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e55000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 173 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e56000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 174 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e357c2", "parentcaller": "0x00e33242", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "BaseAddress", "value": "0x74330000" } ], "repeated": 0, "id": 175 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 176 }, { "timestamp": "2026-06-28 21:56:15,246", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf" } ], "repeated": 0, "id": 177 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b91a0", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 178 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 179 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b91a0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 180 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 181 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 182 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 183 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b91a0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 184 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 185 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9520", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 186 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 187 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b90e0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf" }, { "name": "FirstCreateTimeLow", "value": "0xe6448f1b" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 188 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 189 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 190 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36268", "parentcaller": "0x00e361cc", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf" } ], "repeated": 0, "id": 191 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36268", "parentcaller": "0x00e361cc", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 192 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36bf1", "parentcaller": "0x00e362be", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002e0" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 193 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e368d7", "parentcaller": "0x00e36c60", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 194 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e361ea", "parentcaller": "0x00e36083", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf" } ], "repeated": 0, "id": 195 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 196 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf" } ], "repeated": 0, "id": 197 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9620", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 198 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 199 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b91a0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 200 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 201 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 202 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 203 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b91a0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 204 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 205 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b90e0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 206 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 207 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b90e0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf" }, { "name": "FirstCreateTimeLow", "value": "0xe6448f1b" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 208 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 209 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 210 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf" } ], "repeated": 0, "id": 211 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" } ], "repeated": 0, "id": 212 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 213 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 214 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 215 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 216 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 217 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e60000" }, { "name": "RegionSize", "value": "0x00208000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 218 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e60000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 219 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05067000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 220 }, { "timestamp": "2026-06-28 21:56:15,261", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 221 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf" } ], "repeated": 0, "id": 222 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b90e0", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 223 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 224 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9520", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 225 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 226 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b90e0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 227 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 228 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 229 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 230 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b90e0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 231 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 232 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b90e0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf" }, { "name": "FirstCreateTimeLow", "value": "0xe6448f1b" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 233 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 234 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 235 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf" } ], "repeated": 0, "id": 236 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" } ], "repeated": 0, "id": 237 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 238 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 239 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 240 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 241 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 242 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e57000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 243 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e59000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 244 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e5b000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 245 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e5d000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 246 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e26881", "parentcaller": "0x00eea1f5", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "MPR.dll" }, { "name": "BaseAddress", "value": "0x74000000" } ], "repeated": 0, "id": 247 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e26959", "parentcaller": "0x00eea1f5", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "MPR.dll" }, { "name": "ModuleHandle", "value": "0x74000000" }, { "name": "FunctionName", "value": "WNetGetUniversalNameW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x740106f0" } ], "repeated": 0, "id": 248 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e3ad7d", "parentcaller": "0x00e35f7b", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\" } ], "repeated": 0, "id": 249 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e3ad7d", "parentcaller": "0x00e35f7b", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002e0" }, { "name": "DesiredAccess", "value": "0x00100000", "pretty_value": "SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 250 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e3ad7d", "parentcaller": "0x00e35f7b", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002e0" }, { "name": "HandleName", "value": "C:\\" }, { "name": "FileInformationClass", "value": "9", "pretty_value": "FileNameInformation" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00\\\\x00" } ], "repeated": 0, "id": 251 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e3ad7d", "parentcaller": "0x00e35f7b", "category": "filesystem", "api": "GetVolumeInformationByHandleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Handle", "value": "0x000002e0" }, { "name": "VolumeName", "value": "" }, { "name": "VolumeSerial", "value": "0x00000000" } ], "repeated": 0, "id": 252 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e3ad7d", "parentcaller": "0x00e35f7b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 253 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2a6b2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\Acrobat Reader\\11.0\\AVGeneral" }, { "name": "Handle", "value": "0x000002e0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\AVGeneral" } ], "repeated": 0, "id": 254 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e2a89d", "parentcaller": "0x00e3b256", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e0" }, { "name": "ValueName", "value": "iMaxMRUCnt" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\iMaxMRUCnt" } ], "repeated": 0, "id": 255 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e2aaa5", "parentcaller": "0x00e3b125", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 256 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2a6b2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c1" }, { "name": "Handle", "value": "0x000002e0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c1" } ], "repeated": 0, "id": 257 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e4302e", "parentcaller": "0x00e3b423", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" }, { "name": "ValueName", "value": "aFS" }, { "name": "Data", "value": "DOS" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c1\\aFS" } ], "repeated": 0, "id": 258 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e4302e", "parentcaller": "0x00e3b440", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" }, { "name": "ValueName", "value": "tDIText" }, { "name": "Data", "value": "/C/Users/Rajesh/Desktop/TD DDF.pdf" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c1\\tDIText" } ], "repeated": 0, "id": 259 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e6dd5e", "parentcaller": "0x00e3b474", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" }, { "name": "ValueName", "value": "sDI" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c1\\sDI" } ], "repeated": 0, "id": 260 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e6dd5e", "parentcaller": "0x00e3b4b8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" }, { "name": "ValueName", "value": "sDI" }, { "name": "Data", "value": "/C/Users/Rajesh/Desktop/TD DDF.pdf\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c1\\sDI" } ], "repeated": 0, "id": 261 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e3b524", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 262 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e3b524", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop\\TD DDF.pdf" } ], "repeated": 0, "id": 263 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e3b524", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9320", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 264 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e3b524", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 265 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e3b524", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9520", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 266 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e3b524", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 267 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e3b524", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9520", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 268 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e3b524", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 269 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e3b524", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b90e0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop\\TD DDF.pdf" }, { "name": "FirstCreateTimeLow", "value": "0xc8e7c100" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd075c" } ], "repeated": 0, "id": 270 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e3b524", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 271 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e3b524", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 272 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e3b542", "parentcaller": "0x00e3b132", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop\\TD DDF.pdf" } ], "repeated": 0, "id": 273 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e3b542", "parentcaller": "0x00e3b132", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 274 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36bf1", "parentcaller": "0x00e3b5a3", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop\\TD DDF.pdf" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 275 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e368d7", "parentcaller": "0x00e36c60", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 276 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 277 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop\\TD DDF.pdf" } ], "repeated": 0, "id": 278 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 279 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 280 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b95e0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 281 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 282 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b90e0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 283 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 284 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9520", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop\\TD DDF.pdf" }, { "name": "FirstCreateTimeLow", "value": "0xc8e7c100" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd075c" } ], "repeated": 0, "id": 285 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 286 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36248", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 287 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36268", "parentcaller": "0x00e361cc", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop\\TD DDF.pdf" } ], "repeated": 0, "id": 288 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36268", "parentcaller": "0x00e361cc", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 289 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36bf1", "parentcaller": "0x00e362be", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop\\TD DDF.pdf" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 290 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e368d7", "parentcaller": "0x00e36c60", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 291 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e361ea", "parentcaller": "0x00e36083", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop\\TD DDF.pdf" } ], "repeated": 0, "id": 292 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 293 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop\\TD DDF.pdf" } ], "repeated": 0, "id": 294 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b90e0", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 295 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 296 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b90e0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 297 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 298 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9320", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 299 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 300 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9320", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop\\TD DDF.pdf" }, { "name": "FirstCreateTimeLow", "value": "0xc8e7c100" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd075c" } ], "repeated": 0, "id": 301 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 302 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 303 }, { "timestamp": "2026-06-28 21:56:15,277", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop\\TD DDF.pdf" } ], "repeated": 0, "id": 304 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop" } ], "repeated": 0, "id": 305 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 306 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 307 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 308 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e56f0f", "parentcaller": "0x00e37b5c", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 309 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e56f16", "parentcaller": "0x00e37b5c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlCompareUnicodeString" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f504e0" } ], "repeated": 0, "id": 310 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 311 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop\\TD DDF.pdf" } ], "repeated": 0, "id": 312 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9320", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 313 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 314 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9320", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 315 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 316 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b90e0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 317 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 318 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9320", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop\\TD DDF.pdf" }, { "name": "FirstCreateTimeLow", "value": "0xc8e7c100" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd075c" } ], "repeated": 0, "id": 319 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 320 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 321 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop\\TD DDF.pdf" } ], "repeated": 0, "id": 322 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Desktop" } ], "repeated": 0, "id": 323 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 324 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 325 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 326 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05070000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 327 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05070000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 328 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05073000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 329 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" } ], "repeated": 0, "id": 330 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000032c" }, { "name": "ValueName", "value": "ResourcePolicies" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies" } ], "repeated": 0, "id": 331 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 332 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00680000" }, { "name": "RegionSize", "value": "0x00008000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 333 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00680000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 334 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05075000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 335 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05077000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 336 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3ad7d", "parentcaller": "0x00e35f7b", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\" } ], "repeated": 0, "id": 337 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3ad7d", "parentcaller": "0x00e35f7b", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x00100000", "pretty_value": "SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 338 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3ad7d", "parentcaller": "0x00e35f7b", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "HandleName", "value": "C:\\" }, { "name": "FileInformationClass", "value": "9", "pretty_value": "FileNameInformation" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00\\\\x00" } ], "repeated": 0, "id": 339 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3ad7d", "parentcaller": "0x00e35f7b", "category": "filesystem", "api": "GetVolumeInformationByHandleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Handle", "value": "0x0000032c" }, { "name": "VolumeName", "value": "" }, { "name": "VolumeSerial", "value": "0x00000000" } ], "repeated": 0, "id": 340 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3ad7d", "parentcaller": "0x00e35f7b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 341 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e2aaa5", "parentcaller": "0x00e3b132", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 342 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2a6b2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c2" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c2" } ], "repeated": 0, "id": 343 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3bfe6", "parentcaller": "0x00e33490", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000330" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x00e3c2a0" }, { "name": "Parameter", "value": "0x04e55880" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "4784" }, { "name": "ProcessId", "value": "3412" }, { "name": "Module", "value": "AcroRd32.exe" } ], "repeated": 0, "id": 344 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3bfe6", "parentcaller": "0x00e33490", "category": "threading", "api": "CreateThread", "status": true, "return": "0x00000330", "arguments": [ { "name": "StartRoutine", "value": "0x00e3c2a0" }, { "name": "ModuleName", "value": "AcroRd32.exe" }, { "name": "Parameter", "value": "0x04e55880" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "4784" } ], "repeated": 0, "id": 345 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3c27a", "parentcaller": "0x00e334ce", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000340" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x00e3c800" }, { "name": "Parameter", "value": "0x04e5ab38" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "3960" }, { "name": "ProcessId", "value": "3412" }, { "name": "Module", "value": "AcroRd32.exe" } ], "repeated": 0, "id": 346 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3c27a", "parentcaller": "0x00e334ce", "category": "threading", "api": "CreateThread", "status": true, "return": "0x00000340", "arguments": [ { "name": "StartRoutine", "value": "0x00e3c800" }, { "name": "ModuleName", "value": "AcroRd32.exe" }, { "name": "Parameter", "value": "0x04e5ab38" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "3960" } ], "repeated": 0, "id": 347 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3cc31", "parentcaller": "0x00e335db", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown" }, { "name": "Handle", "value": "0x00000348" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown" } ], "repeated": 0, "id": 348 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3cc67", "parentcaller": "0x00e335db", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000348" }, { "name": "ValueName", "value": "bDisableCryptBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown\\bDisableCryptBroker" } ], "repeated": 0, "id": 349 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3cc89", "parentcaller": "0x00e335db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000348" } ], "repeated": 0, "id": 350 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3d6b6", "parentcaller": "0x00e339dc", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000350" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x00e3d7e0" }, { "name": "Parameter", "value": "0x04e544f8" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "3548" }, { "name": "ProcessId", "value": "3412" }, { "name": "Module", "value": "AcroRd32.exe" } ], "repeated": 0, "id": 351 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3d6b6", "parentcaller": "0x00e339dc", "category": "threading", "api": "CreateThread", "status": true, "return": "0x00000350", "arguments": [ { "name": "StartRoutine", "value": "0x00e3d7e0" }, { "name": "ModuleName", "value": "AcroRd32.exe" }, { "name": "Parameter", "value": "0x04e544f8" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "3548" } ], "repeated": 0, "id": 352 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3d7c4", "parentcaller": "0x00e33a20", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x00e3dce0" }, { "name": "Parameter", "value": "0x04e545a0" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "2136" }, { "name": "ProcessId", "value": "3412" }, { "name": "Module", "value": "AcroRd32.exe" } ], "repeated": 0, "id": 353 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3d7c4", "parentcaller": "0x00e33a20", "category": "threading", "api": "CreateThread", "status": true, "return": "0x00000360", "arguments": [ { "name": "StartRoutine", "value": "0x00e3dce0" }, { "name": "ModuleName", "value": "AcroRd32.exe" }, { "name": "Parameter", "value": "0x04e545a0" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "2136" } ], "repeated": 0, "id": 354 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05570000" }, { "name": "RegionSize", "value": "0x0008b000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 355 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05570000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 356 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x055fa000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 357 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf2O\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x14\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00|\\x00\\x00\\x00\\xf4\\x02Z\\x02\\x01\\x00\\x00\\x00\\xf0\\xf8\\x99\\x02\\x03\\x00\\x00\\x00\\x7f\\x00\\x00\\x00" } ], "repeated": 0, "id": 358 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 359 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000368" }, { "name": "ObjectAttributesName", "value": "Keyboard Layout\\Preload" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Keyboard Layout\\Preload" } ], "repeated": 0, "id": 360 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000036c" }, { "name": "ValueName", "value": "1" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "00000409" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Keyboard Layout\\Preload\\1" } ], "repeated": 0, "id": 361 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036c" } ], "repeated": 0, "id": 362 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 363 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Keyboard Layouts\\00000409" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Keyboard Layouts\\00000409" } ], "repeated": 0, "id": 364 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Layout File" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "KBDUS.DLL" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Keyboard Layouts\\00000409\\Layout File" } ], "repeated": 0, "id": 365 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Keyboard Layouts\\00000409\\Attributes" } ], "repeated": 0, "id": 366 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 367 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\KBDUS" }, { "name": "DllBase", "value": "0x73a20000" } ], "repeated": 0, "id": 368 }, { "timestamp": "2026-06-28 21:56:15,293", "thread_id": "4784", "caller": "0x76f51b4e", "parentcaller": "0x76f4daf1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000088" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 369 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "KBDUS.DLL" }, { "name": "BaseAddress", "value": "0x73a20000" } ], "repeated": 0, "id": 370 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000138", "arguments": [ { "name": "ModuleName", "value": "KBDUS.DLL" }, { "name": "ModuleHandle", "value": "0x73a20000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "3" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 371 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000138", "arguments": [ { "name": "ModuleName", "value": "KBDUS.DLL" }, { "name": "ModuleHandle", "value": "0x73a20000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "5" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 372 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000138", "arguments": [ { "name": "ModuleName", "value": "KBDUS.DLL" }, { "name": "ModuleHandle", "value": "0x73a20000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "6" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 373 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KBDUS.DLL" }, { "name": "ModuleHandle", "value": "0x73a20000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "1" }, { "name": "FunctionAddress", "value": "0x73a21010" } ], "repeated": 0, "id": 374 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000138", "arguments": [ { "name": "ModuleName", "value": "KBDUS.DLL" }, { "name": "ModuleHandle", "value": "0x73a20000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "2" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 375 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006d5000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 376 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\KBDUS" }, { "name": "DllBase", "value": "0x73a20000" } ], "repeated": 0, "id": 377 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 378 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 379 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73a20000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 380 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000036c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\KBDUS.DLL" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 381 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3dcba", "parentcaller": "0x00e3db3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036c" } ], "repeated": 0, "id": 382 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3960", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 383 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3960", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 384 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3548", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 385 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3548", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 386 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e35e41", "parentcaller": "0x00e3e01e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 387 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e35e41", "parentcaller": "0x00e3e01e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006d7000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 388 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3548", "caller": "0x00e26959", "parentcaller": "0x00e6c6db", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ole32.dll" }, { "name": "ModuleHandle", "value": "0x754f0000" }, { "name": "FunctionName", "value": "CoInitialize" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75519bc0" } ], "repeated": 0, "id": 389 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "adialhk.dll" }, { "name": "ModuleHandle", "value": "0x0000006f" } ], "repeated": 0, "id": 390 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "acpiz.dll" }, { "name": "ModuleHandle", "value": "0x05078fb8" } ], "repeated": 0, "id": 391 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "avgrsstx.dll" }, { "name": "ModuleHandle", "value": "0x05078fb8" } ], "repeated": 0, "id": 392 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "babylonchromepi.dll" }, { "name": "ModuleHandle", "value": "0x05078fb8" } ], "repeated": 0, "id": 393 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "babylo~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 394 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "btkeyind.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 395 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "cmcsyshk.dll" }, { "name": "ModuleHandle", "value": "0x05078fb8" } ], "repeated": 0, "id": 396 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "cmsetac.dll" }, { "name": "ModuleHandle", "value": "0x04e57620" } ], "repeated": 0, "id": 397 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "cooliris.dll" }, { "name": "ModuleHandle", "value": "0x04e57648" } ], "repeated": 0, "id": 398 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "dockshellhook.dll" }, { "name": "ModuleHandle", "value": "0x04e57580" } ], "repeated": 0, "id": 399 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "docksh~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 400 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "easyhook32.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 401 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "easyho~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 402 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "googledesktopnetwork3.dll" }, { "name": "ModuleHandle", "value": "0x04e574b8" } ], "repeated": 0, "id": 403 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "google~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 404 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "fwhook.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 405 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "hookprocesscreation.dll" }, { "name": "ModuleHandle", "value": "0x04e575f8" } ], "repeated": 0, "id": 406 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "hookpr~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 407 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "hookterminateapis.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 408 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "hookte~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 409 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "hookprintapis.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 410 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "hookpr~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 411 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "imon.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 412 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "ioloHL.dll" }, { "name": "ModuleHandle", "value": "0x04e57508" } ], "repeated": 0, "id": 413 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "kloehk.dll" }, { "name": "ModuleHandle", "value": "0x04e57698" } ], "repeated": 0, "id": 414 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "lawenforcer.dll" }, { "name": "ModuleHandle", "value": "0x04e57508" } ], "repeated": 0, "id": 415 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "lawenf~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 416 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "libdivx.dll" }, { "name": "ModuleHandle", "value": "0x04e57670" } ], "repeated": 0, "id": 417 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "lvprcinj01.dll" }, { "name": "ModuleHandle", "value": "0x04e57738" } ], "repeated": 0, "id": 418 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "lvprci~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 419 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "madchook.dll" }, { "name": "ModuleHandle", "value": "0x04e57710" } ], "repeated": 0, "id": 420 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "mdnsnsp.dll" }, { "name": "ModuleHandle", "value": "0x04e57620" } ], "repeated": 0, "id": 421 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "moonsysh.dll" }, { "name": "ModuleHandle", "value": "0x04e575a8" } ], "repeated": 0, "id": 422 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "mpk.dll" }, { "name": "ModuleHandle", "value": "0x04e57788" } ], "repeated": 0, "id": 423 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "npdivx32.dll" }, { "name": "ModuleHandle", "value": "0x00e3f013" } ], "repeated": 0, "id": 424 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "npggNT.des" }, { "name": "ModuleHandle", "value": "0x04e57530" } ], "repeated": 0, "id": 425 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "npggNT.dll" }, { "name": "ModuleHandle", "value": "0x04e57558" } ], "repeated": 0, "id": 426 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "oawatch.dll" }, { "name": "ModuleHandle", "value": "0x04e575d0" } ], "repeated": 0, "id": 427 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexplorer-10513.dll" }, { "name": "ModuleHandle", "value": "0x04e574e0" } ], "repeated": 0, "id": 428 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexpl~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 429 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexplorer-10514.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 430 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexpl~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 431 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexplorer-10515.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 432 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexpl~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 433 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexplorer-10516.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 434 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexpl~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 435 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexplorer-10517.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 436 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexpl~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 437 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexplorer-10518.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 438 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexpl~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 439 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexplorer-10519.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 440 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexpl~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 441 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexplorer-10520.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 442 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexpl~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 443 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexplorer-10521.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 444 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexpl~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 445 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexplorer-10522.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 446 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexpl~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 447 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexplorer-10523.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 448 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "owexpl~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 449 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "pavhook.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 450 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "pavlsphook.dll" }, { "name": "ModuleHandle", "value": "0x04e574e0" } ], "repeated": 0, "id": 451 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "pavlsp~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 452 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "pavshook.dll" }, { "name": "ModuleHandle", "value": "0x04e57580" } ], "repeated": 0, "id": 453 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "pavshookwow.dll" }, { "name": "ModuleHandle", "value": "0x04e57468" } ], "repeated": 0, "id": 454 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "pavsho~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 455 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "pctavhook.dll" }, { "name": "ModuleHandle", "value": "0x04e57648" } ], "repeated": 0, "id": 456 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "pctavh~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 457 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "pctgmhk.dll" }, { "name": "ModuleHandle", "value": "0x04e575a8" } ], "repeated": 0, "id": 458 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "prntrack.dll" }, { "name": "ModuleHandle", "value": "0x04e57698" } ], "repeated": 0, "id": 459 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "protector.dll" }, { "name": "ModuleHandle", "value": "0x04e577d8" } ], "repeated": 0, "id": 460 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "protec~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 461 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "radhslib.dll" }, { "name": "ModuleHandle", "value": "0x04e57490" } ], "repeated": 0, "id": 462 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "radprlib.dll" }, { "name": "ModuleHandle", "value": "0x04e57738" } ], "repeated": 0, "id": 463 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "rapportnikko.dll" }, { "name": "ModuleHandle", "value": "0x04e577b0" } ], "repeated": 0, "id": 464 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "rappor~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 465 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "rlhook.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 466 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "rooksdol.dll" }, { "name": "ModuleHandle", "value": "0x04e57508" } ], "repeated": 0, "id": 467 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "rpchromebrowserrecordhelper.dll" }, { "name": "ModuleHandle", "value": "0x04e575f8" } ], "repeated": 0, "id": 468 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "rpchro~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 469 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "r3hook.dll" }, { "name": "ModuleHandle", "value": "0x04e546c8" } ], "repeated": 0, "id": 470 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "sahook.dll" }, { "name": "ModuleHandle", "value": "0x04e57580" } ], "repeated": 0, "id": 471 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "sbrige.dll" }, { "name": "ModuleHandle", "value": "0x04e577d8" } ], "repeated": 0, "id": 472 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "sc2hook.dll" }, { "name": "ModuleHandle", "value": "0x04e575a8" } ], "repeated": 0, "id": 473 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "sdhook32.dll" }, { "name": "ModuleHandle", "value": "0x04e57710" } ], "repeated": 0, "id": 474 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "sguard.dll" }, { "name": "ModuleHandle", "value": "0x04e57698" } ], "repeated": 0, "id": 475 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "smum32.dll" }, { "name": "ModuleHandle", "value": "0x04e577d8" } ], "repeated": 0, "id": 476 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "smumhook.dll" }, { "name": "ModuleHandle", "value": "0x04e57468" } ], "repeated": 0, "id": 477 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "ssldivx.dll" }, { "name": "ModuleHandle", "value": "0x04e577b0" } ], "repeated": 0, "id": 478 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "syncor11.dll" }, { "name": "ModuleHandle", "value": "0x04e57710" } ], "repeated": 0, "id": 479 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "systools.dll" }, { "name": "ModuleHandle", "value": "0x04e57648" } ], "repeated": 0, "id": 480 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "tfwah.dll" }, { "name": "ModuleHandle", "value": "0x04e57530" } ], "repeated": 0, "id": 481 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "wblind.dll" }, { "name": "ModuleHandle", "value": "0x04e57508" } ], "repeated": 0, "id": 482 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "wbhelp.dll" }, { "name": "ModuleHandle", "value": "0x04e575f8" } ], "repeated": 0, "id": 483 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3efc6", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "winstylerthemehelper.dll" }, { "name": "ModuleHandle", "value": "0x04e575d0" } ], "repeated": 0, "id": 484 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f16e", "parentcaller": "0x00e3da3c", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "winsty~1.dll" }, { "name": "ModuleHandle", "value": "0x00e3f146" } ], "repeated": 0, "id": 485 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f393", "parentcaller": "0x00e3f2e3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown" }, { "name": "Handle", "value": "0x00000380" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown" } ], "repeated": 0, "id": 486 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f3cd", "parentcaller": "0x00e3f2e3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000380" }, { "name": "ValueName", "value": "bUseWhitelistConfigFile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown\\bUseWhitelistConfigFile" } ], "repeated": 0, "id": 487 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3f546", "parentcaller": "0x00e3f2e3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 488 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e34a2b", "parentcaller": "0x00e3feeb", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Adobe\\Acrobat Reader\\11.0\\Installer" }, { "name": "Handle", "value": "0x00000380" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Adobe\\Acrobat Reader\\11.0\\Installer" } ], "repeated": 0, "id": 489 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e34a74", "parentcaller": "0x00e3feeb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" }, { "name": "ValueName", "value": "Path" }, { "name": "Data", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Adobe\\Acrobat Reader\\11.0\\Installer\\Path" } ], "repeated": 0, "id": 490 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e34ab0", "parentcaller": "0x00e3feeb", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 491 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3ff07", "parentcaller": "0x00e3f5b1", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 492 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3ff07", "parentcaller": "0x00e3f5b1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\plug_ins\\Test_Tools\\aaFEAT.api" } ], "repeated": 0, "id": 493 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e3ff07", "parentcaller": "0x00e3f5b1", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 494 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05079000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 495 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0508a000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 496 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e26959", "parentcaller": "0x00e6c6b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x76320000" }, { "name": "FunctionName", "value": "SHGetFolderPathW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7647db90" } ], "repeated": 0, "id": 497 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "windows.storage.dll" } ], "repeated": 0, "id": 498 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" } ], "repeated": 0, "id": 499 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000380" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 500 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000384" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000380" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\windows.storage.dll" } ], "repeated": 0, "id": 501 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000384" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x746e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00608000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 502 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 503 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 504 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 505 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c7b000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 506 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "Wldp.dll" } ], "repeated": 0, "id": 507 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 508 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 509 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\wldp.dll" } ], "repeated": 0, "id": 510 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000380" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wldp.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 511 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000384" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000380" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\wldp.dll" } ], "repeated": 0, "id": 512 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3548", "caller": "0x00e3d810", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 513 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3548", "caller": "0x00e3d810", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 514 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "2136", "caller": "0x76f51b4e", "parentcaller": "0x76f4daf1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000088" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 1, "id": 515 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x746cf000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 516 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 517 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 518 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x746cd000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 519 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 520 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 521 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c7b000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 522 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\r\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00 0D \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00 02 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00 40 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00 75 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00 8B \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00 83 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00 74 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00 1C \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00 F3 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 523 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x746cd000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 524 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\Wldp.dll" } ], "repeated": 0, "id": 525 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000380" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wldp.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 526 }, { "timestamp": "2026-06-28 21:56:15,308", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 527 }, { "timestamp": "2026-06-28 21:56:15,324", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x746cd000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 528 }, { "timestamp": "2026-06-28 21:56:15,324", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x746cd000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 529 }, { "timestamp": "2026-06-28 21:56:15,324", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\Wldp" }, { "name": "DllBase", "value": "0x746b0000" } ], "repeated": 0, "id": 530 }, { "timestamp": "2026-06-28 21:56:15,324", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\windows.storage.dll" } ], "repeated": 0, "id": 531 }, { "timestamp": "2026-06-28 21:56:15,324", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000038c" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 532 }, { "timestamp": "2026-06-28 21:56:15,324", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 533 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c7b000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 534 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c7b000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 535 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\windows.storage" }, { "name": "DllBase", "value": "0x746e0000" } ], "repeated": 0, "id": 536 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\wldp" }, { "name": "BaseAddress", "value": "0x746b0000" }, { "name": "InitRoutine", "value": "0x746b85a0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 537 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "api-ms-win-core-synch-l1-2-0.dll" }, { "name": "ModuleHandle", "value": "0x75a80000" } ], "repeated": 0, "id": 538 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x75a80000" }, { "name": "FunctionName", "value": "InitializeConditionVariable" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f64d50" } ], "repeated": 0, "id": 539 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x75a80000" }, { "name": "FunctionName", "value": "SleepConditionVariableCS" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75c33860" } ], "repeated": 0, "id": 540 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x75a80000" }, { "name": "FunctionName", "value": "WakeAllConditionVariable" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f6a4b0" } ], "repeated": 0, "id": 541 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 542 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74c81000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 543 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\windows.storage" }, { "name": "BaseAddress", "value": "0x746e0000" }, { "name": "InitRoutine", "value": "0x748bb2d0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 544 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 545 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76873000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 546 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "2136", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 547 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "2136", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 548 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 549 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffa5", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x00000026", "pretty_value": "CSIDL_PROGRAM_FILES" }, { "name": "Path", "value": "C:\\Program Files (x86)" } ], "repeated": 0, "id": 550 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 551 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "4784", "caller": "0x76f40787", "parentcaller": "0x76f4048f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006db000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 552 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\*" } ], "repeated": 0, "id": 553 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 554 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 555 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)" } ], "repeated": 0, "id": 556 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 557 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\*" } ], "repeated": 0, "id": 558 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)" } ], "repeated": 0, "id": 559 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 560 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 561 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)" } ], "repeated": 0, "id": 562 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 563 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)" } ], "repeated": 0, "id": 564 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 565 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffed", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 566 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3ffed", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x00000024", "pretty_value": "CSIDL_WINDOWS" }, { "name": "Path", "value": "C:\\Windows" } ], "repeated": 0, "id": 567 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 568 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\*" } ], "repeated": 0, "id": 569 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 570 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 571 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows" } ], "repeated": 0, "id": 572 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Windows" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01ca0431" } ], "repeated": 0, "id": 573 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 574 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 575 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\*" } ], "repeated": 0, "id": 576 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows" } ], "repeated": 0, "id": 577 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 578 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x050ab000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 579 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 580 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows" } ], "repeated": 0, "id": 581 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Windows" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01ca0431" } ], "repeated": 0, "id": 582 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 583 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 584 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows" } ], "repeated": 0, "id": 585 }, { "timestamp": "2026-06-28 21:56:15,418", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 586 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e34a2b", "parentcaller": "0x00e40029", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Adobe\\Acrobat Reader\\11.0\\Installer" }, { "name": "Handle", "value": "0x000003c8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Adobe\\Acrobat Reader\\11.0\\Installer" } ], "repeated": 0, "id": 587 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e34a74", "parentcaller": "0x00e40029", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" }, { "name": "ValueName", "value": "Path" }, { "name": "Data", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Adobe\\Acrobat Reader\\11.0\\Installer\\Path" } ], "repeated": 0, "id": 588 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e34ab0", "parentcaller": "0x00e40029", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 589 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 590 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\*" } ], "repeated": 0, "id": 591 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 592 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 593 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0" } ], "repeated": 0, "id": 594 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0x213cb674" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0746" } ], "repeated": 0, "id": 595 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 596 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 597 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\*" } ], "repeated": 0, "id": 598 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0" } ], "repeated": 0, "id": 599 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe" } ], "repeated": 0, "id": 600 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)" } ], "repeated": 0, "id": 601 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 602 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 603 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\" } ], "repeated": 0, "id": 604 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0x213cb674" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0746" } ], "repeated": 0, "id": 605 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 606 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 607 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\" } ], "repeated": 0, "id": 608 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0" } ], "repeated": 0, "id": 609 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe" } ], "repeated": 0, "id": 610 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)" } ], "repeated": 0, "id": 611 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 612 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 613 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\*" } ], "repeated": 0, "id": 614 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 615 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 616 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader" } ], "repeated": 0, "id": 617 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0x213cb674" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0746" } ], "repeated": 0, "id": 618 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 619 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader" }, { "name": "FirstCreateTimeLow", "value": "0x214fc937" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0746" } ], "repeated": 0, "id": 620 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 621 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 622 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\*" } ], "repeated": 0, "id": 623 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader" } ], "repeated": 0, "id": 624 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0" } ], "repeated": 0, "id": 625 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe" } ], "repeated": 0, "id": 626 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)" } ], "repeated": 0, "id": 627 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 628 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 629 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader" } ], "repeated": 0, "id": 630 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0x213cb674" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0746" } ], "repeated": 0, "id": 631 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 632 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader" }, { "name": "FirstCreateTimeLow", "value": "0x214fc937" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0746" } ], "repeated": 0, "id": 633 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 634 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 635 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader" } ], "repeated": 0, "id": 636 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0" } ], "repeated": 0, "id": 637 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe" } ], "repeated": 0, "id": 638 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)" } ], "repeated": 0, "id": 639 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 640 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e400aa", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x75130000" } ], "repeated": 0, "id": 641 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e400aa", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 642 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e400aa", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 643 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 644 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\Privileged\\11.0\\*" } ], "repeated": 0, "id": 645 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 646 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 647 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\Privileged\\11.0" } ], "repeated": 0, "id": 648 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 649 }, { "timestamp": "2026-06-28 21:56:15,433", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 650 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\Privileged" } ], "repeated": 0, "id": 651 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 652 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 653 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" } ], "repeated": 0, "id": 654 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 655 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 656 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 657 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 658 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 659 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 660 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 661 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 662 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0xf757d2c1" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 663 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 664 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" }, { "name": "FirstCreateTimeLow", "value": "0xb2bf2d8b" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 665 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 666 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 667 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\Privileged\\11.0\\*" } ], "repeated": 0, "id": 668 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\Privileged\\11.0" } ], "repeated": 0, "id": 669 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\Privileged" } ], "repeated": 0, "id": 670 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" } ], "repeated": 0, "id": 671 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" } ], "repeated": 0, "id": 672 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 673 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 674 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 675 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 676 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 677 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 678 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\Privileged\\11.0" } ], "repeated": 0, "id": 679 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 680 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 681 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\Privileged" } ], "repeated": 0, "id": 682 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 683 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 684 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" } ], "repeated": 0, "id": 685 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 686 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 687 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 688 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 689 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 690 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 691 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 692 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 693 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0xf757d2c1" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 694 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 695 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" }, { "name": "FirstCreateTimeLow", "value": "0xb2bf2d8b" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 696 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 697 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 698 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\Privileged\\11.0" } ], "repeated": 0, "id": 699 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\Privileged" } ], "repeated": 0, "id": 700 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" } ], "repeated": 0, "id": 701 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" } ], "repeated": 0, "id": 702 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 703 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 704 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 705 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 706 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 707 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e400ed", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 708 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e400ed", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 709 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 710 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*" } ], "repeated": 0, "id": 711 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 712 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 713 }, { "timestamp": "2026-06-28 21:56:15,449", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" } ], "repeated": 0, "id": 714 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 715 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 716 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 717 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 718 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 719 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 720 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 721 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 722 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Crypto" }, { "name": "FirstCreateTimeLow", "value": "0xf602e2aa" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 723 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 724 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" }, { "name": "FirstCreateTimeLow", "value": "0xf602e2aa" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 725 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 726 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 727 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*" } ], "repeated": 0, "id": 728 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" } ], "repeated": 0, "id": 729 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Crypto" } ], "repeated": 0, "id": 730 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft" } ], "repeated": 0, "id": 731 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 732 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 733 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 734 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 735 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 736 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x050cc000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 737 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 738 }, { "timestamp": "2026-06-28 21:56:15,465", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" } ], "repeated": 0, "id": 739 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 740 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 741 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 742 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 743 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 744 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 745 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 746 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 747 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Crypto" }, { "name": "FirstCreateTimeLow", "value": "0xf602e2aa" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 748 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 749 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" }, { "name": "FirstCreateTimeLow", "value": "0xf602e2aa" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 750 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 751 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 752 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" } ], "repeated": 0, "id": 753 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Crypto" } ], "repeated": 0, "id": 754 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft" } ], "repeated": 0, "id": 755 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 756 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 757 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 758 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 759 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 760 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e401bc", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 761 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e401bc", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 762 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 763 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Arcot\\Ids\\*" } ], "repeated": 0, "id": 764 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 765 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 766 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Arcot\\Ids" } ], "repeated": 0, "id": 767 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 768 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 769 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Arcot" } ], "repeated": 0, "id": 770 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 771 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 772 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 773 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 774 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 775 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 776 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 777 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 778 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 779 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 780 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 781 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 782 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Arcot\\Ids\\*" } ], "repeated": 0, "id": 783 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Arcot\\Ids" } ], "repeated": 0, "id": 784 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Arcot" } ], "repeated": 0, "id": 785 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 786 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 787 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 788 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 789 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 790 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 791 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Arcot\\Ids" } ], "repeated": 0, "id": 792 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 793 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 794 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Arcot" } ], "repeated": 0, "id": 795 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 796 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 797 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 798 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 799 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 800 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 801 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 802 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 803 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 804 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 805 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 806 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 807 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Arcot\\Ids" } ], "repeated": 0, "id": 808 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Arcot" } ], "repeated": 0, "id": 809 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 810 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 811 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 812 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 813 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 814 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e40283", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 815 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e40283", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001c", "pretty_value": "CSIDL_LOCAL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 816 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 817 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Outlook\\*" } ], "repeated": 0, "id": 818 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 819 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 820 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Outlook" } ], "repeated": 0, "id": 821 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 822 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 823 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 824 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 825 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 826 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 827 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 828 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 829 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Outlook" }, { "name": "FirstCreateTimeLow", "value": "0xb8b770ec" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 830 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 831 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 832 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Outlook\\*" } ], "repeated": 0, "id": 833 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Outlook" } ], "repeated": 0, "id": 834 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft" } ], "repeated": 0, "id": 835 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 836 }, { "timestamp": "2026-06-28 21:56:15,480", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 837 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 838 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 839 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 840 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 841 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Outlook" } ], "repeated": 0, "id": 842 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 843 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 844 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 845 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 846 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 847 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 848 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 849 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 850 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Outlook" }, { "name": "FirstCreateTimeLow", "value": "0xb8b770ec" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 851 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 852 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 853 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Outlook" } ], "repeated": 0, "id": 854 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft" } ], "repeated": 0, "id": 855 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 856 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 857 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 858 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 859 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 860 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e4034a", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 861 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e4034a", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 862 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 863 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Outlook\\*" } ], "repeated": 0, "id": 864 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 865 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 866 }, { "timestamp": "2026-06-28 21:56:15,496", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Outlook" } ], "repeated": 0, "id": 867 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 868 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 869 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft" } ], "repeated": 0, "id": 870 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 871 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 872 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 873 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 874 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 875 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 876 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 877 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 878 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 879 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Outlook\\*" } ], "repeated": 0, "id": 880 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Outlook" } ], "repeated": 0, "id": 881 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft" } ], "repeated": 0, "id": 882 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 883 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 884 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 885 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 886 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 887 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 888 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Outlook" } ], "repeated": 0, "id": 889 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 890 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 891 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft" } ], "repeated": 0, "id": 892 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 893 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 894 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 895 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 896 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 897 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 898 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006b9220", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 899 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" } ], "repeated": 0, "id": 900 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 901 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Outlook" } ], "repeated": 0, "id": 902 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft" } ], "repeated": 0, "id": 903 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 904 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 905 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 906 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 907 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 908 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x050ed000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 909 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e40476", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 910 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e40476", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x00000020", "pretty_value": "CSIDL_INTERNET_CACHE" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\INetCache" } ], "repeated": 0, "id": 911 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 912 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\INetCache\\*" } ], "repeated": 0, "id": 913 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 914 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 915 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\INetCache" } ], "repeated": 0, "id": 916 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d9098", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 917 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 918 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8898", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 919 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 920 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8958", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 921 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 922 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8a18", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 923 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 924 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8718", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 925 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 926 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 927 }, { "timestamp": "2026-06-28 21:56:15,511", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\INetCache\\*" } ], "repeated": 0, "id": 928 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\INetCache" } ], "repeated": 0, "id": 929 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows" } ], "repeated": 0, "id": 930 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft" } ], "repeated": 0, "id": 931 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 932 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 933 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 934 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 935 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 936 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 937 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\INetCache" } ], "repeated": 0, "id": 938 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8618", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 939 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 940 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8498", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 941 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 942 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d92d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 943 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 944 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d91d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 945 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 946 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8d98", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 947 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 948 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 949 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\INetCache" } ], "repeated": 0, "id": 950 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows" } ], "repeated": 0, "id": 951 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft" } ], "repeated": 0, "id": 952 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 953 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 954 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 955 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 956 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 957 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e404e4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 958 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e404e4", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 959 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 960 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\8.0\\*" } ], "repeated": 0, "id": 961 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 962 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 963 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\8.0" } ], "repeated": 0, "id": 964 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 965 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 966 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" } ], "repeated": 0, "id": 967 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8718", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 968 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 969 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8518", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 970 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 971 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d9258", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 972 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 973 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8d18", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 974 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 975 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8ad8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0xf757d2c1" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 976 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 977 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d85d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" }, { "name": "FirstCreateTimeLow", "value": "0xb2bf2d8b" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 978 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 979 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 980 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\8.0\\*" } ], "repeated": 0, "id": 981 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\8.0" } ], "repeated": 0, "id": 982 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" } ], "repeated": 0, "id": 983 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" } ], "repeated": 0, "id": 984 }, { "timestamp": "2026-06-28 21:56:15,527", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 985 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 986 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 987 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 988 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 989 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 990 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\8.0" } ], "repeated": 0, "id": 991 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 992 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 993 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" } ], "repeated": 0, "id": 994 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d9058", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 995 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 996 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8b98", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 997 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 998 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8ed8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 999 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1000 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8998", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1001 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1002 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8bd8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0xf757d2c1" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1003 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1004 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8898", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" }, { "name": "FirstCreateTimeLow", "value": "0xb2bf2d8b" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1005 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1006 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1007 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\8.0" } ], "repeated": 0, "id": 1008 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" } ], "repeated": 0, "id": 1009 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" } ], "repeated": 0, "id": 1010 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1011 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1012 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1013 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1014 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1015 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e404e4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1016 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e404e4", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1017 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1018 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\*" } ], "repeated": 0, "id": 1019 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1020 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1021 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\9.0" } ], "repeated": 0, "id": 1022 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1023 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1024 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" } ], "repeated": 0, "id": 1025 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8958", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1026 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1027 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8b58", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1028 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1029 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8fd8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1030 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1031 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8d18", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1032 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1033 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8e58", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0xf757d2c1" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1034 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1035 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d9018", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" }, { "name": "FirstCreateTimeLow", "value": "0xb2bf2d8b" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1036 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1037 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1038 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\*" } ], "repeated": 0, "id": 1039 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\9.0" } ], "repeated": 0, "id": 1040 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" } ], "repeated": 0, "id": 1041 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" } ], "repeated": 0, "id": 1042 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1043 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1044 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1045 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1046 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1047 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0510e000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1048 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1049 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\9.0" } ], "repeated": 0, "id": 1050 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1051 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1052 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" } ], "repeated": 0, "id": 1053 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8d98", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1054 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1055 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8818", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1056 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1057 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d83d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1058 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1059 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8b18", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1060 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1061 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8758", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0xf757d2c1" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1062 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1063 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8f18", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" }, { "name": "FirstCreateTimeLow", "value": "0xb2bf2d8b" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1064 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1065 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1066 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\9.0" } ], "repeated": 0, "id": 1067 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" } ], "repeated": 0, "id": 1068 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" } ], "repeated": 0, "id": 1069 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1070 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1071 }, { "timestamp": "2026-06-28 21:56:15,543", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1072 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1073 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1074 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e404e4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1075 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e404e4", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1076 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1077 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*" } ], "repeated": 0, "id": 1078 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1079 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1080 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\10.0" } ], "repeated": 0, "id": 1081 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1082 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1083 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" } ], "repeated": 0, "id": 1084 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8958", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1085 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1086 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d9218", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1087 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1088 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8818", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1089 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1090 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d9298", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1091 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1092 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d9318", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0xf757d2c1" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1093 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1094 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8e18", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" }, { "name": "FirstCreateTimeLow", "value": "0xb2bf2d8b" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1095 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1096 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1097 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*" } ], "repeated": 0, "id": 1098 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\10.0" } ], "repeated": 0, "id": 1099 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" } ], "repeated": 0, "id": 1100 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" } ], "repeated": 0, "id": 1101 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1102 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1103 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1104 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1105 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1106 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1107 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\10.0" } ], "repeated": 0, "id": 1108 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1109 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1110 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" } ], "repeated": 0, "id": 1111 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8498", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1112 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1113 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8398", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1114 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1115 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8958", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1116 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1117 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d9158", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1118 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1119 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8598", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0xf757d2c1" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1120 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1121 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8818", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" }, { "name": "FirstCreateTimeLow", "value": "0xb2bf2d8b" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1122 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1123 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1124 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\10.0" } ], "repeated": 0, "id": 1125 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" } ], "repeated": 0, "id": 1126 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" } ], "repeated": 0, "id": 1127 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1128 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1129 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1130 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1131 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1132 }, { "timestamp": "2026-06-28 21:56:15,558", "thread_id": "3636", "caller": "0x00e40f06", "parentcaller": "0x00e3f626", "category": "filesystem", "api": "CreateDirectoryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\acrord32_sbx" } ], "repeated": 0, "id": 1133 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e41754", "parentcaller": "0x00e40fa5", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00180080", "pretty_value": "FILE_READ_ATTRIBUTES|WRITE_OWNER|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\acrord32_sbx" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1134 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e417cf", "parentcaller": "0x00e40fa5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 1135 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e3f626", "parentcaller": "0x00e3f2ea", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006e0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1136 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1137 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\acrord32_sbx\\*" } ], "repeated": 0, "id": 1138 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1139 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1140 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\acrord32_sbx" } ], "repeated": 0, "id": 1141 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8598", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1142 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 1143 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8c58", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1144 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 1145 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8b98", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1146 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 1147 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8398", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1148 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 1149 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8e18", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1150 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 1151 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1152 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\acrord32_sbx\\*" } ], "repeated": 0, "id": 1153 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\acrord32_sbx" } ], "repeated": 0, "id": 1154 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" } ], "repeated": 0, "id": 1155 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 1156 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1157 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1158 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1159 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1160 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e41d5b", "parentcaller": "0x00e41b14", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003e8" }, { "name": "DesiredAccess", "value": "0x00100020", "pretty_value": "FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 1161 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e41d5b", "parentcaller": "0x00e41b14", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000090" } ], "repeated": 0, "id": 1162 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e41d97", "parentcaller": "0x00e41b14", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\shell32.dll" }, { "name": "BaseAddress", "value": "0x76320000" } ], "repeated": 0, "id": 1163 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e41da7", "parentcaller": "0x00e41b14", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000090" }, { "name": "DesiredAccess", "value": "0x00100020", "pretty_value": "FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 1164 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e41da7", "parentcaller": "0x00e41b14", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 1165 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e41b27", "parentcaller": "0x00e3f670", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x76320000" }, { "name": "FunctionName", "value": "SHGetKnownFolderPath" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76489d80" } ], "repeated": 0, "id": 1166 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e41b5c", "parentcaller": "0x00e3f670", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\profapi" }, { "name": "DllBase", "value": "0x73a10000" } ], "repeated": 0, "id": 1167 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e41b5c", "parentcaller": "0x00e3f670", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 1168 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e41b5c", "parentcaller": "0x00e3f670", "category": "filesystem", "api": "SHGetKnownFolderPath", "status": true, "return": "0x00000000", "arguments": [ { "name": "FolderID", "value": "A520A1A4-1780-4FF6-BD18-167343C5AF16" }, { "name": "Flags", "value": "0x00008000" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow" } ], "repeated": 0, "id": 1169 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e26959", "parentcaller": "0x00e6c6db", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ole32.dll" }, { "name": "ModuleHandle", "value": "0x754f0000" }, { "name": "FunctionName", "value": "CoTaskMemFree" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75866b20" } ], "repeated": 0, "id": 1170 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e26959", "parentcaller": "0x00e6c6b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x76320000" }, { "name": "FunctionName", "value": "SHCreateDirectoryExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7649b4d0" } ], "repeated": 0, "id": 1171 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e3f67f", "parentcaller": "0x00e3f2ea", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76872000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1172 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e3f67f", "parentcaller": "0x00e3f2ea", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x76872000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1173 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e41fa1", "parentcaller": "0x00e3f67f", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Acrobat\\11.0" } ], "repeated": 0, "id": 1174 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1175 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Acrobat\\11.0\\*" } ], "repeated": 0, "id": 1176 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1177 }, { "timestamp": "2026-06-28 21:56:15,574", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1178 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Acrobat\\11.0" } ], "repeated": 0, "id": 1179 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8a18", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1180 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1181 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8518", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1182 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1183 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8918", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1184 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1185 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d92d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow" }, { "name": "FirstCreateTimeLow", "value": "0xef21f0d4" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1186 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1187 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d91d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0xb2bcce1e" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1188 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1189 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8e58", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Acrobat" }, { "name": "FirstCreateTimeLow", "value": "0xb2bf2d8b" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1190 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1191 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8e18", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Acrobat\\11.0" }, { "name": "FirstCreateTimeLow", "value": "0xb2bf2d8b" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1192 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1193 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1194 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Acrobat\\11.0\\*" } ], "repeated": 0, "id": 1195 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Acrobat\\11.0" } ], "repeated": 0, "id": 1196 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Acrobat" } ], "repeated": 0, "id": 1197 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe" } ], "repeated": 0, "id": 1198 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow" } ], "repeated": 0, "id": 1199 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1200 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1201 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1202 }, { "timestamp": "2026-06-28 21:56:15,590", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1203 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e41b5c", "parentcaller": "0x00e3f6a5", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 1204 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e41b5c", "parentcaller": "0x00e3f6a5", "category": "filesystem", "api": "SHGetKnownFolderPath", "status": true, "return": "0x00000000", "arguments": [ { "name": "FolderID", "value": "A520A1A4-1780-4FF6-BD18-167343C5AF16" }, { "name": "Flags", "value": "0x00008000" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow" } ], "repeated": 0, "id": 1205 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e41fa1", "parentcaller": "0x00e3f6b4", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Linguistics" } ], "repeated": 0, "id": 1206 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1207 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Linguistics\\*" } ], "repeated": 0, "id": 1208 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1209 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1210 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Linguistics" } ], "repeated": 0, "id": 1211 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d88d8", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1212 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1213 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8558", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1214 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1215 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8cd8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1216 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1217 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d85d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow" }, { "name": "FirstCreateTimeLow", "value": "0xef21f0d4" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1218 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1219 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8898", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0xb2bcce1e" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1220 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1221 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1222 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Linguistics\\*" } ], "repeated": 0, "id": 1223 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Linguistics" } ], "repeated": 0, "id": 1224 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe" } ], "repeated": 0, "id": 1225 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow" } ], "repeated": 0, "id": 1226 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1227 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1228 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1229 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1230 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0512f000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1231 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e41b5c", "parentcaller": "0x00e3f6da", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 1232 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e41b5c", "parentcaller": "0x00e3f6da", "category": "filesystem", "api": "SHGetKnownFolderPath", "status": true, "return": "0x00000000", "arguments": [ { "name": "FolderID", "value": "A520A1A4-1780-4FF6-BD18-167343C5AF16" }, { "name": "Flags", "value": "0x00008000" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow" } ], "repeated": 0, "id": 1233 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1234 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft\\IMJP*\\*" } ], "repeated": 0, "id": 1235 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1236 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1237 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft\\IMJP*" } ], "repeated": 0, "id": 1238 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1239 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1240 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft" } ], "repeated": 0, "id": 1241 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8398", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1242 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1243 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d91d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1244 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1245 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d9118", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1246 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1247 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d9098", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow" }, { "name": "FirstCreateTimeLow", "value": "0xef21f0d4" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1248 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1249 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1250 }, { "timestamp": "2026-06-28 21:56:15,605", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft\\IMJP*\\*" } ], "repeated": 0, "id": 1251 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft\\IMJP*" } ], "repeated": 0, "id": 1252 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft" } ], "repeated": 0, "id": 1253 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow" } ], "repeated": 0, "id": 1254 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1255 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1256 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1257 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1258 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e41b5c", "parentcaller": "0x00e3f70f", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 1259 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e41b5c", "parentcaller": "0x00e3f70f", "category": "filesystem", "api": "SHGetKnownFolderPath", "status": true, "return": "0x00000000", "arguments": [ { "name": "FolderID", "value": "A520A1A4-1780-4FF6-BD18-167343C5AF16" }, { "name": "Flags", "value": "0x00008000" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow" } ], "repeated": 0, "id": 1260 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1261 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft\\IME*\\*" } ], "repeated": 0, "id": 1262 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1263 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1264 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft\\IME*" } ], "repeated": 0, "id": 1265 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1266 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1267 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft" } ], "repeated": 0, "id": 1268 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8998", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1269 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1270 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d9118", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1271 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1272 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d88d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1273 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1274 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8958", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow" }, { "name": "FirstCreateTimeLow", "value": "0xef21f0d4" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1275 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1276 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1277 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft\\IME*\\*" } ], "repeated": 0, "id": 1278 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft\\IME*" } ], "repeated": 0, "id": 1279 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft" } ], "repeated": 0, "id": 1280 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow" } ], "repeated": 0, "id": 1281 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1282 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1283 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1284 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1285 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f744", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1286 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f744", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1287 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e41fa1", "parentcaller": "0x00e3f756", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\11.0" } ], "repeated": 0, "id": 1288 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1289 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\11.0\\*" } ], "repeated": 0, "id": 1290 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1291 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1292 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\11.0" } ], "repeated": 0, "id": 1293 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8718", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1294 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1295 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d83d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1296 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1297 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8fd8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1298 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1299 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d9058", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1300 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1301 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d84d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0xf757d2c1" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1302 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1303 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006cedf0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" }, { "name": "FirstCreateTimeLow", "value": "0xb2bf2d8b" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1304 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1305 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8b58", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\11.0" }, { "name": "FirstCreateTimeLow", "value": "0xb2bf2d8b" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1306 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1307 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1308 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\11.0\\*" } ], "repeated": 0, "id": 1309 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\11.0" } ], "repeated": 0, "id": 1310 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat" } ], "repeated": 0, "id": 1311 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" } ], "repeated": 0, "id": 1312 }, { "timestamp": "2026-06-28 21:56:15,621", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1313 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1314 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1315 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1316 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1317 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f77c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1318 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f77c", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001c", "pretty_value": "CSIDL_LOCAL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 1319 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e41fa1", "parentcaller": "0x00e3f78e", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Acrobat\\11.0" } ], "repeated": 0, "id": 1320 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1321 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Acrobat\\11.0\\*" } ], "repeated": 0, "id": 1322 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1323 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1324 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Acrobat\\11.0" } ], "repeated": 0, "id": 1325 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8a58", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1326 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1327 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8d18", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1328 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1329 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8498", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1330 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1331 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8d98", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1332 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1333 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d9258", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0xb2c1906c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1334 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1335 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8b18", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Acrobat" }, { "name": "FirstCreateTimeLow", "value": "0xb2c1906c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1336 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1337 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d1ca0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Acrobat\\11.0" }, { "name": "FirstCreateTimeLow", "value": "0xb2c1906c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1338 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1339 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1340 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Acrobat\\11.0\\*" } ], "repeated": 0, "id": 1341 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Acrobat\\11.0" } ], "repeated": 0, "id": 1342 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Acrobat" } ], "repeated": 0, "id": 1343 }, { "timestamp": "2026-06-28 21:56:15,636", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe" } ], "repeated": 0, "id": 1344 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 1345 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1346 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1347 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1348 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1349 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f7b4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1350 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f7b4", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001c", "pretty_value": "CSIDL_LOCAL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 1351 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e41fa1", "parentcaller": "0x00e3f7c6", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Color" } ], "repeated": 0, "id": 1352 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1353 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Color\\*" } ], "repeated": 0, "id": 1354 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1355 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1356 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Color" } ], "repeated": 0, "id": 1357 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d9158", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1358 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1359 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d88d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1360 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1361 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8758", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1362 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1363 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8ed8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1364 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1365 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8918", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0xb2c1906c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1366 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1367 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d85d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Color" }, { "name": "FirstCreateTimeLow", "value": "0xb2c1906c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1368 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1369 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1370 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Color\\*" } ], "repeated": 0, "id": 1371 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Color" } ], "repeated": 0, "id": 1372 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe" } ], "repeated": 0, "id": 1373 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 1374 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1375 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1376 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1377 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1378 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f7ec", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1379 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f7ec", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1380 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e41fa1", "parentcaller": "0x00e3f7fe", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Linguistics" } ], "repeated": 0, "id": 1381 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1382 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Linguistics\\*" } ], "repeated": 0, "id": 1383 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1384 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1385 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Linguistics" } ], "repeated": 0, "id": 1386 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8558", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1387 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1388 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8558", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1389 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1390 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8818", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1391 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1392 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8598", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1393 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1394 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d86d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0xf757d2c1" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1395 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1396 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1397 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Linguistics\\*" } ], "repeated": 0, "id": 1398 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Linguistics" } ], "repeated": 0, "id": 1399 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" } ], "repeated": 0, "id": 1400 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1401 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1402 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1403 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1404 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1405 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05940000" }, { "name": "RegionSize", "value": "0x00200000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1406 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05940000" }, { "name": "RegionSize", "value": "0x00022000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1407 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f824", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1408 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f824", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1409 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e41fa1", "parentcaller": "0x00e3f880", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Speech" } ], "repeated": 0, "id": 1410 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1411 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Speech\\*" } ], "repeated": 0, "id": 1412 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1413 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1414 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Speech" } ], "repeated": 0, "id": 1415 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8858", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1416 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1417 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8558", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1418 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1419 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d87d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1420 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1421 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d9218", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1422 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1423 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006cea70", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Speech" }, { "name": "FirstCreateTimeLow", "value": "0xb2c1906c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1424 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1425 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1426 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Speech\\*" } ], "repeated": 0, "id": 1427 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Speech" } ], "repeated": 0, "id": 1428 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft" } ], "repeated": 0, "id": 1429 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1430 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1431 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1432 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1433 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1434 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f8cb", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1435 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f8cb", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1436 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e41fa1", "parentcaller": "0x00e3f8dd", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\LogTransport2" } ], "repeated": 0, "id": 1437 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1438 }, { "timestamp": "2026-06-28 21:56:15,652", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\LogTransport2\\*" } ], "repeated": 0, "id": 1439 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1440 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1441 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\LogTransport2" } ], "repeated": 0, "id": 1442 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8d18", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1443 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1444 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8598", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1445 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1446 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8398", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1447 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1448 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8418", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1449 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1450 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8b58", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0xf757d2c1" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1451 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1452 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1453 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\LogTransport2\\*" } ], "repeated": 0, "id": 1454 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\LogTransport2" } ], "repeated": 0, "id": 1455 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" } ], "repeated": 0, "id": 1456 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1457 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1458 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1459 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1460 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1461 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f903", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1462 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f903", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1463 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e41fa1", "parentcaller": "0x00e3f915", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Headlights" } ], "repeated": 0, "id": 1464 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1465 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Headlights\\*" } ], "repeated": 0, "id": 1466 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1467 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1468 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Headlights" } ], "repeated": 0, "id": 1469 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8ed8", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1470 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1471 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8958", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1472 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1473 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8758", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1474 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1475 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8618", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1476 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1477 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8858", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0xf757d2c1" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1478 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1479 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1480 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Headlights\\*" } ], "repeated": 0, "id": 1481 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Headlights" } ], "repeated": 0, "id": 1482 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" } ], "repeated": 0, "id": 1483 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1484 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1485 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1486 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1487 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1488 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f93b", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1489 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f93b", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1490 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e41fa1", "parentcaller": "0x00e3f94d", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" } ], "repeated": 0, "id": 1491 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1492 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*" } ], "repeated": 0, "id": 1493 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1494 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1495 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" } ], "repeated": 0, "id": 1496 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8b58", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1497 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1498 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8d58", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1499 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1500 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8d58", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1501 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1502 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8958", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1503 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1504 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8f58", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" }, { "name": "FirstCreateTimeLow", "value": "0xf757d2c1" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1505 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1506 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1507 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*" } ], "repeated": 0, "id": 1508 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" } ], "repeated": 0, "id": 1509 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Flash Player" } ], "repeated": 0, "id": 1510 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe" } ], "repeated": 0, "id": 1511 }, { "timestamp": "2026-06-28 21:56:15,668", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1512 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1513 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1514 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1515 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1516 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f973", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1517 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f973", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1518 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1519 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\IME*\\*" } ], "repeated": 0, "id": 1520 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1521 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1522 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\IME*" } ], "repeated": 0, "id": 1523 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1524 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1525 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft" } ], "repeated": 0, "id": 1526 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d89d8", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1527 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1528 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8858", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1529 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1530 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8698", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1531 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1532 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d9298", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1533 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1534 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1535 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\IME*\\*" } ], "repeated": 0, "id": 1536 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\IME*" } ], "repeated": 0, "id": 1537 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft" } ], "repeated": 0, "id": 1538 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1539 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1540 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1541 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1542 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1543 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f9ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1544 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f9ab", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001c", "pretty_value": "CSIDL_LOCAL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 1545 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1546 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\IME*\\*" } ], "repeated": 0, "id": 1547 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1548 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1549 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\IME*" } ], "repeated": 0, "id": 1550 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1551 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1552 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft" } ], "repeated": 0, "id": 1553 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8c58", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1554 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1555 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8798", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1556 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1557 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d89d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1558 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1559 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8998", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1560 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1561 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1562 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\IME*\\*" } ], "repeated": 0, "id": 1563 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\IME*" } ], "repeated": 0, "id": 1564 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft" } ], "repeated": 0, "id": 1565 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 1566 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1567 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1568 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1569 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1570 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05962000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1571 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f9e3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1572 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3f9e3", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1573 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1574 }, { "timestamp": "2026-06-28 21:56:15,683", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\IMJP*\\*" } ], "repeated": 0, "id": 1575 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1576 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1577 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\IMJP*" } ], "repeated": 0, "id": 1578 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1579 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1580 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft" } ], "repeated": 0, "id": 1581 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8d58", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1582 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1583 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d87d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1584 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1585 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d83d8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1586 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1587 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8fd8", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1588 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1589 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1590 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\IMJP*\\*" } ], "repeated": 0, "id": 1591 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\IMJP*" } ], "repeated": 0, "id": 1592 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft" } ], "repeated": 0, "id": 1593 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1594 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1595 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1596 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1597 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1598 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3fa1b", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1599 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3fa1b", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001c", "pretty_value": "CSIDL_LOCAL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 1600 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1601 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\IMJP*\\*" } ], "repeated": 0, "id": 1602 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1603 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1604 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\IMJP*" } ], "repeated": 0, "id": 1605 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1606 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1607 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft" } ], "repeated": 0, "id": 1608 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006ced70", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1609 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1610 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006cef70", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1611 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1612 }, { "timestamp": "2026-06-28 21:56:15,699", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006ce8b0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1613 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1614 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006ced70", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1615 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1616 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1617 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\IMJP*\\*" } ], "repeated": 0, "id": 1618 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\IMJP*" } ], "repeated": 0, "id": 1619 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft" } ], "repeated": 0, "id": 1620 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 1621 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" } ], "repeated": 0, "id": 1622 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1623 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1624 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1625 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3fa53", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1626 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3fa53", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x00000005", "pretty_value": "CSIDL_MYDOCUMENTS" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\Documents" } ], "repeated": 0, "id": 1627 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1628 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Documents\\ArcotIDs\\*" } ], "repeated": 0, "id": 1629 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36ca0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1630 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1631 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Documents\\ArcotIDs" } ], "repeated": 0, "id": 1632 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1633 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 1634 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Documents" } ], "repeated": 0, "id": 1635 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8418", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1636 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 1637 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x006d8998", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 1638 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 1639 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e36544", "parentcaller": "0x00e36631", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1640 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Documents\\ArcotIDs\\*" } ], "repeated": 0, "id": 1641 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Documents\\ArcotIDs" } ], "repeated": 0, "id": 1642 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\Documents" } ], "repeated": 0, "id": 1643 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" } ], "repeated": 0, "id": 1644 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users" } ], "repeated": 0, "id": 1645 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e370d8", "parentcaller": "0x00e36cf3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\" } ], "repeated": 0, "id": 1646 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3fa8e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1647 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3fa8e", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001c", "pretty_value": "CSIDL_LOCAL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 1648 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e3fab4", "parentcaller": "0x00e3f2ea", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1649 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e3fab4", "parentcaller": "0x00e3f2ea", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Lotus\\Notes\\Data" } ], "repeated": 0, "id": 1650 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e3fab4", "parentcaller": "0x00e3f2ea", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1651 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3fc44", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1652 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3fc44", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1653 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e3fc68", "parentcaller": "0x00e3f2ea", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1654 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e3fc68", "parentcaller": "0x00e3f2ea", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Intuit\\Quicken\\Log" } ], "repeated": 0, "id": 1655 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e3fc68", "parentcaller": "0x00e3f2ea", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1656 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3fcb7", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1657 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3fcb7", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1658 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e3fcd2", "parentcaller": "0x00e3f2ea", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1659 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e3fcd2", "parentcaller": "0x00e3f2ea", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Justsystem" } ], "repeated": 0, "id": 1660 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e3fcd2", "parentcaller": "0x00e3f2ea", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1661 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3fd21", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1662 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e3fd21", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1663 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e3fd44", "parentcaller": "0x00e3f2ea", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1664 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e3fd44", "parentcaller": "0x00e3f2ea", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Roaming\\Enfocus Prefs Folder" } ], "repeated": 0, "id": 1665 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e3fd44", "parentcaller": "0x00e3f2ea", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1666 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x00000404" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1667 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e42896", "parentcaller": "0x00e427ce", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 1668 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e428ae", "parentcaller": "0x00e427ce", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "NtQueryObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f72ab0" } ], "repeated": 0, "id": 1669 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 1670 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x00000404" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1671 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 1672 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x00000404" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1673 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 1674 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x00000404" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1675 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 1676 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x00000404" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1677 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 1678 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x00000404" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1679 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 1680 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x00000404" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1681 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 1682 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05983000" }, { "name": "RegionSize", "value": "0x00043000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1683 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x059c1000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1684 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x00000404" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1685 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 1686 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x00000404" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1687 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 1688 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x00000404" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1689 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 1690 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x000003fa" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1691 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fa" } ], "repeated": 0, "id": 1692 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x000003f8" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1693 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1694 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x000003f8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1695 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1696 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000003", "pretty_value": "HKEY_USERS" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x000003fc" }, { "name": "FullName", "value": "HKEY_USERS\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1697 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1698 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000005", "pretty_value": "HKEY_CURRENT_CONFIG" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x00000408" }, { "name": "FullName", "value": "HKEY_CURRENT_CONFIG\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1699 }, { "timestamp": "2026-06-28 21:56:15,715", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000408" } ], "repeated": 0, "id": 1700 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42984", "parentcaller": "0x00e42237", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\Adobe Acrobat\\11.0" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x000f003f", "pretty_value": "KEY_ALL_ACCESS" }, { "name": "Handle", "value": "0x00000408" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Acrobat\\11.0" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1701 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x0000040c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1702 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" } ], "repeated": 0, "id": 1703 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x0000040c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1704 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" } ], "repeated": 0, "id": 1705 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42984", "parentcaller": "0x00e4227d", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\Acrobat Reader\\11.0" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x000f003f", "pretty_value": "KEY_ALL_ACCESS" }, { "name": "Handle", "value": "0x0000040c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1706 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x00000410" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1707 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000410" } ], "repeated": 0, "id": 1708 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x00000410" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1709 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000410" } ], "repeated": 0, "id": 1710 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42984", "parentcaller": "0x00e422c3", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\Adobe Synchronizer\\11.0" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x000f003f", "pretty_value": "KEY_ALL_ACCESS" }, { "name": "Handle", "value": "0x00000410" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\11.0" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1711 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x00000414" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1712 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000414" } ], "repeated": 0, "id": 1713 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x00000414" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1714 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000414" } ], "repeated": 0, "id": 1715 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42984", "parentcaller": "0x00e42309", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\Adobe ARM\\1.0\\ARM" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x000f003f", "pretty_value": "KEY_ALL_ACCESS" }, { "name": "Handle", "value": "0x00000414" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe ARM\\1.0\\ARM" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1716 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x00000418" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1717 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000418" } ], "repeated": 0, "id": 1718 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x00000418" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1719 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000418" } ], "repeated": 0, "id": 1720 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42984", "parentcaller": "0x00e4234f", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\CommonFiles\\Usage\\Reader 11" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x000f003f", "pretty_value": "KEY_ALL_ACCESS" }, { "name": "Handle", "value": "0x00000418" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader 11" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1721 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x0000041c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1722 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 0, "id": 1723 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x0000041c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1724 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 0, "id": 1725 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x0000041c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1726 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 0, "id": 1727 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x0000041c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1728 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 0, "id": 1729 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x0000041c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1730 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 0, "id": 1731 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x0000041c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1732 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 0, "id": 1733 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x0000041c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1734 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 0, "id": 1735 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x0000041c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1736 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 0, "id": 1737 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x0000041c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1738 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 0, "id": 1739 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x0000041c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1740 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 0, "id": 1741 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x0000041c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1742 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 0, "id": 1743 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x0000041c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1744 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 0, "id": 1745 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e42702", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "Handle", "value": "0x0000041c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 1746 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4271f", "parentcaller": "0x00e424db", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 0, "id": 1747 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2a6b2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Justsystem\\ATOK\\Setup\\Folder" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Justsystem\\ATOK\\Setup\\Folder" } ], "repeated": 0, "id": 1748 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4302e", "parentcaller": "0x00e42bb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000006", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "ValueName", "value": "Atok23" }, { "name": "FullName", "value": "Atok23" } ], "repeated": 0, "id": 1749 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2a6b2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Justsystem\\ATOK\\Setup\\Folder" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Justsystem\\ATOK\\Setup\\Folder" } ], "repeated": 0, "id": 1750 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4302e", "parentcaller": "0x00e42bb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000006", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "ValueName", "value": "Atok24" }, { "name": "FullName", "value": "Atok24" } ], "repeated": 0, "id": 1751 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e43965", "parentcaller": "0x00e4316f", "category": "process", "api": "NtOpenProcessToken", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x000f01ff" }, { "name": "TokenHandle", "value": "0x00000000" } ], "repeated": 0, "id": 1752 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e43bc6", "parentcaller": "0x00e43643", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" }, { "name": "MutexName", "value": "{100184D2-BDC3-477a-B8D3-65548B67914C}_3412" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 1753 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e43c48", "parentcaller": "0x00e43643", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 0, "id": 1754 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x059c6000" }, { "name": "RegionSize", "value": "0x00043000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1755 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05a03000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1756 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05a09000" }, { "name": "RegionSize", "value": "0x00043000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1757 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05a47000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1758 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05a4c000" }, { "name": "RegionSize", "value": "0x00043000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1759 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05a8a000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1760 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05a8f000" }, { "name": "RegionSize", "value": "0x00043000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1761 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22911", "parentcaller": "0x00e24fd9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05acc000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1762 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e41b5c", "parentcaller": "0x00e45d7e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 1763 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e41b5c", "parentcaller": "0x00e45d7e", "category": "filesystem", "api": "SHGetKnownFolderPath", "status": true, "return": "0x00000000", "arguments": [ { "name": "FolderID", "value": "A520A1A4-1780-4FF6-BD18-167343C5AF16" }, { "name": "Flags", "value": "0x00008000" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\LocalLow" } ], "repeated": 0, "id": 1764 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e45de4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1765 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e405ac", "parentcaller": "0x00e45de4", "category": "filesystem", "api": "SHGetFolderPathW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Folder", "value": "0x0000001a", "pretty_value": "CSIDL_APPDATA" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Roaming" } ], "repeated": 0, "id": 1766 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e476b5", "parentcaller": "0x00e4713c", "category": "process", "api": "NtOpenProcessToken", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x000f01ff" }, { "name": "TokenHandle", "value": "0x00000000" } ], "repeated": 0, "id": 1767 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "2136", "caller": "0x76f6b4e6", "parentcaller": "0x7514fa30", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2136" } ], "repeated": 0, "id": 1768 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "4784", "caller": "0x76f6b4e6", "parentcaller": "0x7514fa30", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "4784" } ], "repeated": 0, "id": 1769 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "4784", "caller": "0x76f51b4e", "parentcaller": "0x76f4f6de", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000088" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 1, "id": 1770 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3548", "caller": "0x00e26959", "parentcaller": "0x00e6c6db", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ole32.dll" }, { "name": "ModuleHandle", "value": "0x754f0000" }, { "name": "FunctionName", "value": "CoUninitialize" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75807f70" } ], "repeated": 0, "id": 1771 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "2136", "caller": "0x760b45ae", "parentcaller": "0x760b442c", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1772 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "2136", "caller": "0x76f6b509", "parentcaller": "0x7514fa30", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 2, "id": 1773 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e7ae9f", "parentcaller": "0x00eb7620", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1774 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e7ae9f", "parentcaller": "0x00eb7620", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1775 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00eb7629", "parentcaller": "0x00eb76bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 1776 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3548", "caller": "0x00e3d8e0", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x75450000" } ], "repeated": 0, "id": 1777 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00eb7635", "parentcaller": "0x00eb76bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 1778 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3548", "caller": "0x00e3d8e0", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1779 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e7ae9f", "parentcaller": "0x00eb678d", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1780 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e7ae9f", "parentcaller": "0x00eb678d", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000340" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1781 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3548", "caller": "0x00e3d8e0", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x759a8000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1782 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00eb6796", "parentcaller": "0x00eb67eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000340" } ], "repeated": 0, "id": 1783 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3548", "caller": "0x76f6b4e6", "parentcaller": "0x7514fa30", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3548" } ], "repeated": 0, "id": 1784 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00eb679c", "parentcaller": "0x00eb67eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000338" } ], "repeated": 0, "id": 1785 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3548", "caller": "0x75b9106a", "parentcaller": "0x7588e703", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 1786 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00eb67a2", "parentcaller": "0x00eb67eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" } ], "repeated": 0, "id": 1787 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e7ae9f", "parentcaller": "0x00ea3010", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1788 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e7ae9f", "parentcaller": "0x00ea3010", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000350" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1789 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e7aebe", "parentcaller": "0x00ea3010", "category": "windows", "api": "PostThreadMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessId", "value": "3412" }, { "name": "ThreadId", "value": "3548" }, { "name": "Message", "value": "18" } ], "repeated": 0, "id": 1790 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3548", "caller": "0x760b45ae", "parentcaller": "0x760b442c", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1791 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3548", "caller": "0x76f6b509", "parentcaller": "0x7514fa30", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 1792 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00ea3019", "parentcaller": "0x00ea30ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000350" } ], "repeated": 0, "id": 1793 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00ea301f", "parentcaller": "0x00ea30ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000348" } ], "repeated": 0, "id": 1794 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00ea3025", "parentcaller": "0x00ea30ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000034c" } ], "repeated": 0, "id": 1795 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e7ae9f", "parentcaller": "0x00ea0ac1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1796 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e7ae9f", "parentcaller": "0x00ea0ac1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1797 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00ea0aca", "parentcaller": "0x00ea0b6b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 0, "id": 1798 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00ea0b13", "parentcaller": "0x00ea0b6b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000358" } ], "repeated": 0, "id": 1799 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00ea0b19", "parentcaller": "0x00ea0b6b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000035c" } ], "repeated": 0, "id": 1800 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0508a000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1801 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05acf000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1802 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05074000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1803 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e5b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1804 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e5d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1805 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e56000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1806 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x050ab000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1807 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x050ec000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1808 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e749a8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x050ec000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1809 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x050ec000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1810 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x050cc000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1811 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0512e000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1812 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0510d000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1813 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05a03000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1814 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x059c3000" }, { "name": "RegionSize", "value": "0x00040000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1815 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x059c1000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1816 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x059c3000" }, { "name": "RegionSize", "value": "0x00040000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1817 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05981000" }, { "name": "RegionSize", "value": "0x00082000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1818 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e749a8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e5b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1819 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05961000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1820 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e5b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1821 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05961000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1822 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05941000" }, { "name": "RegionSize", "value": "0x0003f000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1823 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05a8a000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1824 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e7499f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05a47000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1825 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e749a8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0512e000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1826 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e749a8", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05a07000" }, { "name": "RegionSize", "value": "0x00041000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1827 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e749a8", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05a4a000" }, { "name": "RegionSize", "value": "0x00040000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1828 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e749a8", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0512e000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1829 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e749a8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05a4a000" }, { "name": "RegionSize", "value": "0x00040000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1830 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e749d8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e5b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1831 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e749d8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e5d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1832 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e749d8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05074000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1833 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e749d8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0508a000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1834 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e749d8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x050cc000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1835 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e749d8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x050ab000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1836 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e749d8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x050ec000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1837 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e749d8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0512e000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1838 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e749d8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05a07000" }, { "name": "RegionSize", "value": "0x00041000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1839 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e749d8", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05a07000" }, { "name": "RegionSize", "value": "0x00084000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1840 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e73c55", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e60000" }, { "name": "RegionSize", "value": "0x00208000" }, { "name": "FreeType", "value": "0x00008000" } ], "repeated": 0, "id": 1841 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e57ec0", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\Acrobat Reader\\11.0\\Language\\current\\" }, { "name": "Handle", "value": "0x0000035c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\Language\\current\\" } ], "repeated": 0, "id": 1842 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e4302e", "parentcaller": "0x00e57f23", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000035c" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "acrord32.dll" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\Language\\current\\(Default)" } ], "repeated": 0, "id": 1843 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e2aaa5", "parentcaller": "0x00e5cb4c", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000035c" } ], "repeated": 0, "id": 1844 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e2bc21", "parentcaller": "0x00e2b754", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "Kernel32.dll" }, { "name": "ModuleHandle", "value": "0x75130000" } ], "repeated": 0, "id": 1845 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e2bc2e", "parentcaller": "0x00e2b754", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "QueryActCtxW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75148760" } ], "repeated": 0, "id": 1846 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e2bc2e", "parentcaller": "0x00e2b7a4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "GetModuleHandleExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75151640" } ], "repeated": 0, "id": 1847 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e2bc2e", "parentcaller": "0x00e2c0c0", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "CreateActCtxW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75151f40" } ], "repeated": 0, "id": 1848 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e2b83f", "parentcaller": "0x00e2b639", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000035c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 1849 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e2b83f", "parentcaller": "0x00e2b639", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000035c" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 1850 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e2b83f", "parentcaller": "0x00e2b639", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000035c" } ], "repeated": 0, "id": 1851 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e2b83f", "parentcaller": "0x00e2b639", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\AcroRd32.exe.3.Manifest" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1852 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e2bc2e", "parentcaller": "0x00e2c160", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "ActivateActCtx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75150ac0" } ], "repeated": 0, "id": 1853 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e2bc2e", "parentcaller": "0x00e2c3f0", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "FindActCtxSectionStringW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75148900" } ], "repeated": 0, "id": 1854 }, { "timestamp": "2026-06-28 21:56:15,730", "thread_id": "3636", "caller": "0x00e2b8c5", "parentcaller": "0x00e2b639", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\\Comctl32" }, { "name": "DllBase", "value": "0x73800000" } ], "repeated": 0, "id": 1855 }, { "timestamp": "2026-06-28 21:56:15,746", "thread_id": "3636", "caller": "0x00e2b8c5", "parentcaller": "0x00e2b639", "category": "__notification__", "api": "sysenter", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadIdentifier", "value": "3636" }, { "name": "Module", "value": "KERNEL32.DLL" }, { "name": "Return Address", "value": "0x751524ac" } ], "repeated": 0, "id": 1856 }, { "timestamp": "2026-06-28 21:56:15,746", "thread_id": "3636", "caller": "0x00e2b8c5", "parentcaller": "0x00e2b639", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "Comctl32.dll" }, { "name": "BaseAddress", "value": "0x73800000" } ], "repeated": 0, "id": 1857 }, { "timestamp": "2026-06-28 21:56:15,746", "thread_id": "3636", "caller": "0x00e2bc2e", "parentcaller": "0x00e2c4d0", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x75130000" }, { "name": "FunctionName", "value": "DeactivateActCtx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75150aa0" } ], "repeated": 0, "id": 1858 }, { "timestamp": "2026-06-28 21:56:15,746", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1859 }, { "timestamp": "2026-06-28 21:56:15,746", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1860 }, { "timestamp": "2026-06-28 21:56:15,746", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1861 }, { "timestamp": "2026-06-28 21:56:15,746", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1862 }, { "timestamp": "2026-06-28 21:56:15,746", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1863 }, { "timestamp": "2026-06-28 21:56:15,746", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006e3000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1864 }, { "timestamp": "2026-06-28 21:56:15,746", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006e8000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1865 }, { "timestamp": "2026-06-28 21:56:15,746", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1866 }, { "timestamp": "2026-06-28 21:56:15,761", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1867 }, { "timestamp": "2026-06-28 21:56:15,761", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "MSCTF.dll" } ], "repeated": 0, "id": 1868 }, { "timestamp": "2026-06-28 21:56:15,761", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000032c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x768e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000d3000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1869 }, { "timestamp": "2026-06-28 21:56:15,761", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x769a7000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1870 }, { "timestamp": "2026-06-28 21:56:15,761", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1871 }, { "timestamp": "2026-06-28 21:56:15,761", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1872 }, { "timestamp": "2026-06-28 21:56:15,761", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x769a3000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1873 }, { "timestamp": "2026-06-28 21:56:15,761", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 1874 }, { "timestamp": "2026-06-28 21:56:15,761", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x769a3000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1875 }, { "timestamp": "2026-06-28 21:56:15,761", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9o[\\xe8\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00t\\x00\\x00\\x00" } ], "repeated": 0, "id": 1876 }, { "timestamp": "2026-06-28 21:56:15,761", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\System32\\MSCTF.dll" } ], "repeated": 0, "id": 1877 }, { "timestamp": "2026-06-28 21:56:15,761", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\msctf.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1878 }, { "timestamp": "2026-06-28 21:56:15,761", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 1879 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x769a3000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1880 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x769a3000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1881 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\MSCTF" }, { "name": "DllBase", "value": "0x768e0000" } ], "repeated": 0, "id": 1882 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\msctf" }, { "name": "BaseAddress", "value": "0x768e0000" }, { "name": "InitRoutine", "value": "0x7692dfc0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1883 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x760cd000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1884 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x760cd000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1885 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 1886 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 1887 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x760cd000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1888 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x760cd000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1889 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002e0" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Sessions\\2\\Windows\\ThemeSection" } ], "repeated": 0, "id": 1890 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002e0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00d30000" }, { "name": "SectionOffset", "value": "0x004fea8c" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1891 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003cc" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Windows\\Theme4054054479" } ], "repeated": 0, "id": 1892 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003d0" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Sessions\\2\\Windows\\Theme738112361" } ], "repeated": 0, "id": 1893 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00d30000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 1894 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 1895 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003cc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e60000" }, { "name": "SectionOffset", "value": "0x004ff118" }, { "name": "ViewSize", "value": "0x000e2000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1896 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003d0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00d30000" }, { "name": "SectionOffset", "value": "0x004ff118" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1897 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x0000000c" } ], "repeated": 0, "id": 1898 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 1899 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f32430" } ], "repeated": 0, "id": 1900 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f74000" } ], "repeated": 0, "id": 1901 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f306b0" } ], "repeated": 0, "id": 1902 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f6c1e0" } ], "repeated": 0, "id": 1903 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f65220" } ], "repeated": 0, "id": 1904 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f5f4e0" } ], "repeated": 0, "id": 1905 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" }, { "name": "MutexName", "value": "Local\\SM0:3412:168:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 1906 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1907 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1908 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1909 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 0, "id": 1910 }, { "timestamp": "2026-06-28 21:56:15,777", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 1, "id": 1911 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x73800000" } ], "repeated": 0, "id": 1912 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Comctl32.dll" }, { "name": "ModuleHandle", "value": "0x73800000" }, { "name": "FunctionName", "value": "RegisterClassNameW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x73853530" } ], "repeated": 0, "id": 1913 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "user32" }, { "name": "BaseAddress", "value": "0x75d20000" } ], "repeated": 0, "id": 1914 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x739b0000" }, { "name": "ModuleName", "value": "Comctl32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1915 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x739b0000" }, { "name": "ModuleName", "value": "Comctl32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1916 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x0000000c" } ], "repeated": 2, "id": 1917 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00db1000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1918 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00db2000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1919 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00db4000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1920 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" } ], "repeated": 0, "id": 1921 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "ValueName", "value": "ResourcePolicies" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies" } ], "repeated": 0, "id": 1922 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 1923 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00d40000" }, { "name": "RegionSize", "value": "0x00008000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1924 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00d40000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1925 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x0000000c" } ], "repeated": 2, "id": 1926 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x73800000" } ], "repeated": 0, "id": 1927 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Comctl32.dll" }, { "name": "ModuleHandle", "value": "0x73800000" }, { "name": "FunctionName", "value": "RegisterClassNameW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x73853530" } ], "repeated": 0, "id": 1928 }, { "timestamp": "2026-06-28 21:56:15,793", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x0000000c" } ], "repeated": 11, "id": 1929 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x73800000" } ], "repeated": 0, "id": 1930 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Comctl32.dll" }, { "name": "ModuleHandle", "value": "0x73800000" }, { "name": "FunctionName", "value": "RegisterClassNameW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x73853530" } ], "repeated": 0, "id": 1931 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x739b0000" }, { "name": "ModuleName", "value": "Comctl32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1932 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x739b0000" }, { "name": "ModuleName", "value": "Comctl32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1933 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1934 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1935 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1936 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1937 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1938 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1939 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1940 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1941 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1942 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1943 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1944 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1945 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "DesiredAccess", "value": "0x00000101", "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x000000ec" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0" } ], "repeated": 0, "id": 1946 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "ValueName", "value": "Disable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable" } ], "repeated": 0, "id": 1947 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "ValueName", "value": "DataFilePath" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "C:\\Windows\\Fonts\\staticcache.dat" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath" } ], "repeated": 0, "id": 1948 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 1949 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000330" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Fonts\\staticcache.dat" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1950 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000330" }, { "name": "HandleName", "value": "C:\\Windows\\Fonts\\StaticCache.dat" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00&\\x01\\x00\\x00\\x00\\x00\\x00\\x00&\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1951 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000330" }, { "name": "HandleName", "value": "C:\\Windows\\Fonts\\StaticCache.dat" }, { "name": "Buffer", "value": "\\x1a\\x83W\\xa5\\x02\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00$\\x01\\x00\\x00$)\\x00\\x00\\x00\\x00\\x02\\x00\\xbe\\x02\\x00\\x00<\\x00\\x00\\x00$!\\x00\\x00L)\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00" }, { "name": "Length", "value": "60" } ], "repeated": 0, "id": 1952 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000033c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000330" }, { "name": "FileName", "value": "C:\\Windows\\Fonts\\StaticCache.dat" } ], "repeated": 0, "id": 1953 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000033c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05b40000" }, { "name": "SectionOffset", "value": "0x004fd530" }, { "name": "ViewSize", "value": "0x01260000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1954 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "TextShaping.dll" } ], "repeated": 0, "id": 1955 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" } ], "repeated": 0, "id": 1956 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000340" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1957 }, { "timestamp": "2026-06-28 21:56:15,808", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000360" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000340" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\TextShaping.dll" } ], "repeated": 0, "id": 1958 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73760000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00094000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1959 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1960 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1961 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x737f1000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1962 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 0, "id": 1963 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000340" } ], "repeated": 0, "id": 1964 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x737f1000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1965 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\TextShaping.dll" } ], "repeated": 0, "id": 1966 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000340" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1967 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000340" } ], "repeated": 0, "id": 1968 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\TextShaping" }, { "name": "DllBase", "value": "0x73760000" } ], "repeated": 0, "id": 1969 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\TextShaping" }, { "name": "BaseAddress", "value": "0x73760000" }, { "name": "InitRoutine", "value": "0x737ef2b0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1970 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74f43000" }, { "name": "ModuleName", "value": "gdi32full.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1971 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x74f43000" }, { "name": "ModuleName", "value": "gdi32full.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1972 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006ed000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1973 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1974 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "DesiredAccess", "value": "0x00000101", "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x000000ec" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" } ], "repeated": 0, "id": 1975 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "Plane1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1" } ], "repeated": 0, "id": 1976 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "Plane2" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "SimSun-ExtB" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2" } ], "repeated": 1, "id": 1977 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "Plane3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3" } ], "repeated": 0, "id": 1978 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "Plane4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4" } ], "repeated": 0, "id": 1979 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "Plane5" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5" } ], "repeated": 0, "id": 1980 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "Plane6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6" } ], "repeated": 0, "id": 1981 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "Plane7" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7" } ], "repeated": 0, "id": 1982 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "Plane8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8" } ], "repeated": 0, "id": 1983 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "Plane9" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9" } ], "repeated": 0, "id": 1984 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "Plane10" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10" } ], "repeated": 0, "id": 1985 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "Plane11" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11" } ], "repeated": 0, "id": 1986 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "Plane12" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12" } ], "repeated": 0, "id": 1987 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "Plane13" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13" } ], "repeated": 0, "id": 1988 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "Plane14" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14" } ], "repeated": 0, "id": 1989 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "Plane15" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15" } ], "repeated": 0, "id": 1990 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "Plane16" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16" } ], "repeated": 0, "id": 1991 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000340" } ], "repeated": 0, "id": 1992 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1993 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "DesiredAccess", "value": "0x00000109", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x000000ec" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" } ], "repeated": 0, "id": 1994 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "KeyInformation", "value": "\\xffb4\\xfff3\\xff9a~\\xffe3\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x18\\x00\\x00\\x00\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 1995 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 1996 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 1997 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 1998 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 1999 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000101", "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x00000340" }, { "name": "ObjectAttributesName", "value": "System" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\System" } ], "repeated": 0, "id": 2000 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000340" } ], "repeated": 0, "id": 2001 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2002 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 0, "id": 2003 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000034c" } ], "repeated": 0, "id": 2004 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2005 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000000ec" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\CTF\\Compatibility\\AcroRd32.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\AcroRd32.exe" } ], "repeated": 0, "id": 2006 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x760cd000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2007 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x760cd000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2008 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000034c" } ], "repeated": 0, "id": 2009 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 0, "id": 2010 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "ChangeWindowMessageFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "message", "value": "49245" }, { "name": "dwFlag", "value": "1" } ], "repeated": 0, "id": 2011 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "ChangeWindowMessageFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "message", "value": "49246" }, { "name": "dwFlag", "value": "1" } ], "repeated": 0, "id": 2012 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 0, "id": 2013 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000034c" } ], "repeated": 1, "id": 2014 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 0, "id": 2015 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "synchronization", "api": "NtOpenMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" }, { "name": "MutexName", "value": "Local\\MSCTF.Asm.MutexDefault2" } ], "repeated": 0, "id": 2016 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2017 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" }, { "name": "Milliseconds", "value": "2000" } ], "repeated": 0, "id": 2018 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000034c" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\CTF.AsmListCache.FMPDefault2" } ], "repeated": 0, "id": 2019 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000034c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00d60000" }, { "name": "SectionOffset", "value": "0x004fe5ac" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2020 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00d60000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 2021 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000034c" } ], "repeated": 0, "id": 2022 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 1, "id": 2023 }, { "timestamp": "2026-06-28 21:56:15,824", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2024 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000000ec" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\CTF\\Compatibility\\AcroRd32.exe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\AcroRd32.exe" } ], "repeated": 0, "id": 2025 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2026 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "GetSystemMetrics", "status": false, "return": "0x00000000", "arguments": [ { "name": "SystemMetricIndex", "value": "8192" } ], "repeated": 0, "id": 2027 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "synchronization", "api": "NtOpenMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" }, { "name": "MutexName", "value": "CicLoadWinStaWinSta0" } ], "repeated": 0, "id": 2028 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 0, "id": 2029 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "synchronization", "api": "NtOpenMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000340" }, { "name": "MutexName", "value": "Local\\MSCTF.CtfMonitorInstMutexDefault2" } ], "repeated": 0, "id": 2030 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000340" } ], "repeated": 0, "id": 2031 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2032 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000360" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000ec" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE" } ], "repeated": 0, "id": 2033 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000360" }, { "name": "ValueName", "value": "LaunchUserOOBE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE" } ], "repeated": 0, "id": 2034 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 0, "id": 2035 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x769a7000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2036 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x769a7000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2037 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 0, "id": 2038 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2039 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000ec" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE" } ], "repeated": 0, "id": 2040 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "LaunchUserOOBE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE" } ], "repeated": 0, "id": 2041 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000340" } ], "repeated": 0, "id": 2042 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 2043 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f32430" } ], "repeated": 0, "id": 2044 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f74000" } ], "repeated": 0, "id": 2045 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f306b0" } ], "repeated": 0, "id": 2046 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f6c1e0" } ], "repeated": 0, "id": 2047 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f65220" } ], "repeated": 0, "id": 2048 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f5f4e0" } ], "repeated": 0, "id": 2049 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" }, { "name": "MutexName", "value": "Local\\SM0:3412:168:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 2050 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2051 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2052 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000420" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2053 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000420" } ], "repeated": 0, "id": 2054 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 1, "id": 2055 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x754dd000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2056 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x754dd000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2057 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2058 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04db0000" }, { "name": "RegionSize", "value": "0x00080000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2059 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04db0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2060 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2061 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "textinputframework.dll" } ], "repeated": 0, "id": 2062 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\textinputframework.dll" } ], "repeated": 0, "id": 2063 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000420" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\textinputframework.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2064 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000424" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000420" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\TextInputFramework.dll" } ], "repeated": 0, "id": 2065 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000424" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x736a0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000b9000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2066 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7374e000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2067 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2068 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2069 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7374c000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2070 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "CoreUIComponents.dll" } ], "repeated": 0, "id": 2071 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "CoreMessaging.dll" } ], "repeated": 0, "id": 2072 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000424" } ], "repeated": 0, "id": 2073 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000420" } ], "repeated": 0, "id": 2074 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\CoreUIComponents.dll" } ], "repeated": 0, "id": 2075 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000420" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\CoreUIComponents.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2076 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000424" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000420" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\CoreUIComponents.dll" } ], "repeated": 0, "id": 2077 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000424" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73420000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0027e000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2078 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7363a000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2079 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2080 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2081 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7358d000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2082 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "CoreMessaging.dll" } ], "repeated": 0, "id": 2083 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "wintypes.dll" } ], "repeated": 2, "id": 2084 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000424" } ], "repeated": 0, "id": 2085 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000420" } ], "repeated": 0, "id": 2086 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\CoreMessaging.dll" } ], "repeated": 0, "id": 2087 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000420" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\CoreMessaging.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2088 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000424" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000420" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\CoreMessaging.dll" } ], "repeated": 0, "id": 2089 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000424" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73380000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0009b000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2090 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2091 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2092 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2093 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x733e6000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2094 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000424" } ], "repeated": 0, "id": 2095 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000420" } ], "repeated": 0, "id": 2096 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\CoreMessaging.dll" } ], "repeated": 0, "id": 2097 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\WinTypes.dll" } ], "repeated": 0, "id": 2098 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000420" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2099 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000424" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000420" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\WinTypes.dll" } ], "repeated": 0, "id": 2100 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000424" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x732a0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000db000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2101 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73362000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2102 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2103 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77029000" }, { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2104 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73360000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2105 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000424" } ], "repeated": 0, "id": 2106 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000420" } ], "repeated": 0, "id": 2107 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\WinTypes.dll" } ], "repeated": 1, "id": 2108 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7374c000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2109 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x733e6000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2110 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73360000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2111 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7358d000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2112 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00\\x000\\x15k\\x004\\x0e\\x00\\x00\\x02\\x00\\x00\\x00\\xa8\\xc1k\\x00\\x80\\x13\\x00\\x00\\x02\\x00\\x00\\x00X\\xc1k\\x00\\x88\\x12\\x00\\x00\\x02\\x00\\x00\\x00h\\xc0k\\x00\\xd8\t\\x00\\x00\\x02\\x00\\x00\\x00\\x18\\xc0k\\x00\\xf8\\x08\\x00\\x00\\x02\\x00\\x00\\x00\\xf8\\xc1k\\x00\\xd0\r\\x00\\x00" } ], "repeated": 0, "id": 2113 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\System32\\CoreMessaging.dll" } ], "repeated": 0, "id": 2114 }, { "timestamp": "2026-06-28 21:56:15,840", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000420" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\CoreMessaging.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2115 }, { "timestamp": "2026-06-28 21:56:15,855", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000420" } ], "repeated": 0, "id": 2116 }, { "timestamp": "2026-06-28 21:56:15,871", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x733e6000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2117 }, { "timestamp": "2026-06-28 21:56:15,871", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x733e6000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2118 }, { "timestamp": "2026-06-28 21:56:15,871", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CoreMessaging" }, { "name": "DllBase", "value": "0x73380000" } ], "repeated": 0, "id": 2119 }, { "timestamp": "2026-06-28 21:56:15,886", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\wintypes.dll" } ], "repeated": 0, "id": 2120 }, { "timestamp": "2026-06-28 21:56:15,886", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000420" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2121 }, { "timestamp": "2026-06-28 21:56:15,886", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000420" } ], "repeated": 0, "id": 2122 }, { "timestamp": "2026-06-28 21:56:15,902", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73360000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2123 }, { "timestamp": "2026-06-28 21:56:15,902", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73360000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2124 }, { "timestamp": "2026-06-28 21:56:15,902", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wintypes" }, { "name": "DllBase", "value": "0x732a0000" } ], "repeated": 0, "id": 2125 }, { "timestamp": "2026-06-28 21:56:15,902", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\System32\\CoreUIComponents.dll" } ], "repeated": 0, "id": 2126 }, { "timestamp": "2026-06-28 21:56:15,902", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000420" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\CoreUIComponents.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2127 }, { "timestamp": "2026-06-28 21:56:15,902", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000420" } ], "repeated": 0, "id": 2128 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7358d000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2129 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7358d000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000040", "pretty_value": "PAGE_EXECUTE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2130 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CoreUIComponents" }, { "name": "DllBase", "value": "0x73420000" } ], "repeated": 0, "id": 2131 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlDosPathNameToNtPathName_U", "status": true, "return": "0x00000001", "arguments": [ { "name": "DosFileName", "value": "C:\\Windows\\SYSTEM32\\textinputframework.dll" } ], "repeated": 0, "id": 2132 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000360" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Windows\\System32\\textinputframework.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2133 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 0, "id": 2134 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\textinputframework" }, { "name": "DllBase", "value": "0x736a0000" } ], "repeated": 0, "id": 2135 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\CoreMessaging" }, { "name": "BaseAddress", "value": "0x73380000" }, { "name": "InitRoutine", "value": "0x733e0f00" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 2136 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\WinTypes" }, { "name": "BaseAddress", "value": "0x732a0000" }, { "name": "InitRoutine", "value": "0x73318590" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 2137 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00934000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2138 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00936000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2139 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042c" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" } ], "repeated": 0, "id": 2140 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000042c" }, { "name": "ValueName", "value": "ResourcePolicies" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies" } ], "repeated": 0, "id": 2141 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042c" } ], "repeated": 0, "id": 2142 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00d60000" }, { "name": "RegionSize", "value": "0x00008000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2143 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00d60000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2144 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\CoreUIComponents" }, { "name": "BaseAddress", "value": "0x73420000" }, { "name": "InitRoutine", "value": "0x7347e960" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 2145 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006f2000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2146 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\TextInputFramework" }, { "name": "BaseAddress", "value": "0x736a0000" }, { "name": "InitRoutine", "value": "0x736e0690" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 2147 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x769a7000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2148 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x769a7000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2149 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2150 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000438" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000000ec" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\CTF\\" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\" } ], "repeated": 0, "id": 2151 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000438" }, { "name": "ValueName", "value": "EnableAnchorContext" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\CTF\\EnableAnchorContext" } ], "repeated": 0, "id": 2152 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000438" } ], "repeated": 0, "id": 2153 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2154 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "USER32" }, { "name": "ModuleHandle", "value": "0x75d20000" } ], "repeated": 0, "id": 2155 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\USER32.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 1, "id": 2156 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2157 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75030000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2158 }, { "timestamp": "2026-06-28 21:56:15,980", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2159 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000068" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2160 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x0000006c" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2161 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "GetSystemMetrics", "status": false, "return": "0x00000000", "arguments": [ { "name": "SystemMetricIndex", "value": "4096" } ], "repeated": 0, "id": 2162 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000026" }, { "name": "uiParam", "value": "0x00000004" } ], "repeated": 0, "id": 2163 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x0000103e" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2164 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001042" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2165 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x0000001b" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2166 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x739b0000" }, { "name": "ModuleName", "value": "Comctl32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2167 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x739b0000" }, { "name": "ModuleName", "value": "Comctl32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2168 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2169 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000ec" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 2170 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "ValueName", "value": "TurnOffSPIAnimations" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations" } ], "repeated": 0, "id": 2171 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000034c" } ], "repeated": 0, "id": 2172 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2173 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000054" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 2174 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "ValueName", "value": "TurnOffSPIAnimations" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations" } ], "repeated": 0, "id": 2175 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000034c" } ], "repeated": 0, "id": 2176 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00db6000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2177 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2178 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "DesiredAccess", "value": "0x00000109", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x000000ec" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink" } ], "repeated": 0, "id": 2179 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "KeyInformation", "value": "x\\x7f,\\xffc9}\\x07\\xffdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00\\x00\\x006\\x00\\x00\\x00\\xff84\\x03\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "4" } ], "repeated": 0, "id": 2180 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006f5000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2181 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "0" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2182 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "0" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2183 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "1" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2184 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "1" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2185 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "2" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2186 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "2" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2187 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "3" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2188 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "3" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2189 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "4" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2190 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "4" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2191 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "5" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2192 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "5" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2193 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "6" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2194 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "6" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2195 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "7" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2196 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "7" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2197 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "8" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2198 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "8" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2199 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "9" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2200 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "9" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2201 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "10" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2202 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "10" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2203 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "11" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2204 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "11" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2205 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "12" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2206 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "12" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2207 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "13" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2208 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "13" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2209 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "14" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2210 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "14" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2211 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "15" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2212 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "15" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2213 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "16" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2214 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "16" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2215 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "17" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2216 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "17" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2217 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "18" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2218 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "18" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2219 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "19" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2220 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "19" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2221 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "20" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2222 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "20" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2223 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "21" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2224 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "21" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2225 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "22" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2226 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "22" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2227 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "23" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2228 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "23" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2229 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "24" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2230 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "24" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2231 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "25" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2232 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "25" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2233 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "26" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2234 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "26" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2235 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "27" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2236 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "27" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2237 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "28" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2238 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "28" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2239 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "29" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2240 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "29" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2241 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "30" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2242 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "30" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2243 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "31" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2244 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "31" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2245 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "32" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2246 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "32" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2247 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "33" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2248 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "33" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2249 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "34" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2250 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "34" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2251 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "35" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2252 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "35" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2253 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "36" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2254 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "36" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2255 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "37" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2256 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "37" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2257 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "38" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2258 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "38" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2259 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "39" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2260 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "39" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2261 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "40" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2262 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "40" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2263 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "41" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2264 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "41" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2265 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "42" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2266 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "42" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2267 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "43" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2268 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "43" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2269 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "44" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2270 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "44" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2271 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "45" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2272 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "45" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2273 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "46" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2274 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "46" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2275 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "47" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2276 }, { "timestamp": "2026-06-28 21:56:16,011", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "47" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2277 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "48" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2278 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "48" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2279 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "49" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2280 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "49" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2281 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "50" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2282 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "50" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2283 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "51" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2284 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "51" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2285 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "52" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2286 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "52" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2287 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "53" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2288 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "53" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2289 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "54" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2290 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "54" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2291 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "55" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2292 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "55" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2293 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "56" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2294 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "56" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2295 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "57" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2296 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "57" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2297 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "58" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2298 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "58" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2299 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "59" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2300 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "59" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2301 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "60" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2302 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "60" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2303 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "61" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2304 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "61" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2305 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "62" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2306 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "62" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2307 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "63" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2308 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "63" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2309 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "64" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2310 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "64" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2311 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "65" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2312 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "65" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2313 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "66" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2314 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "66" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2315 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateValueKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "Index", "value": "67" }, { "name": "KeyValueInformationClass", "value": "1" } ], "repeated": 0, "id": 2316 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000034c" } ], "repeated": 0, "id": 2317 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006f8000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2318 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006fe000" }, { "name": "RegionSize", "value": "0x00015000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2319 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00713000" }, { "name": "RegionSize", "value": "0x00008000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2320 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006fc000" }, { "name": "RegionSize", "value": "0x0001e000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 2321 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006fc000" }, { "name": "RegionSize", "value": "0x0001e000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2322 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2323 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000034c" }, { "name": "DesiredAccess", "value": "0x00000109", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x000000ec" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" } ], "repeated": 0, "id": 2324 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000101", "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x0000034c" }, { "name": "ObjectAttributesName", "value": "MS Shell Dlg 2" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\MS Shell Dlg 2" } ], "repeated": 0, "id": 2325 }, { "timestamp": "2026-06-28 21:56:16,027", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000034c" } ], "repeated": 0, "id": 2326 }, { "timestamp": "2026-06-28 21:56:16,043", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 15, "id": 2327 }, { "timestamp": "2026-06-28 21:56:17,621", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\msctf.dll" }, { "name": "BaseAddress", "value": "0x768e0000" } ], "repeated": 0, "id": 2328 }, { "timestamp": "2026-06-28 21:56:17,636", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x769a7000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2329 }, { "timestamp": "2026-06-28 21:56:17,636", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x769a7000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2330 }, { "timestamp": "2026-06-28 21:56:17,636", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2331 }, { "timestamp": "2026-06-28 21:56:17,636", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000000ec" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\CTF\\Compatibility\\AppCompatClassName" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\AppCompatClassName" } ], "repeated": 0, "id": 2332 }, { "timestamp": "2026-06-28 21:56:17,636", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "l\\xf2O\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xfe\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x18\\x1bk\\x00\\xf4\\xf2O\\x00\\xd5X\\xb8u\\x90\\xb7\\xc5uu\\xf3\\x92ch\\xf3O\\x00\\x02\\x00\\x00\\x80\\xca\\x02\\x07\\x00" } ], "repeated": 0, "id": 2333 }, { "timestamp": "2026-06-28 21:56:17,636", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000348" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 2334 }, { "timestamp": "2026-06-28 21:56:17,636", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000350" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000348" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\CTF\\DirectSwitchHotkeys" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys" } ], "repeated": 0, "id": 2335 }, { "timestamp": "2026-06-28 21:56:17,636", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000348" } ], "repeated": 0, "id": 2336 }, { "timestamp": "2026-06-28 21:56:17,636", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x00000350" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 2337 }, { "timestamp": "2026-06-28 21:56:17,636", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000350" } ], "repeated": 0, "id": 2338 }, { "timestamp": "2026-06-28 21:56:17,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2339 }, { "timestamp": "2026-06-28 21:56:17,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 8, "id": 2340 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e64cb3", "parentcaller": "0x00e5c565", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c04f6" }, { "name": "Message", "value": "0x00000000" } ], "repeated": 0, "id": 2341 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2342 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2343 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2344 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06da0000" }, { "name": "RegionSize", "value": "0x00800000" }, { "name": "Protection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2345 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2346 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "58" } ], "repeated": 0, "id": 2347 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000348" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 2348 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00938000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2349 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2350 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000044c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 2351 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" } ], "repeated": 0, "id": 2352 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2353 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "IsGUIThread" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75d62b70" } ], "repeated": 0, "id": 2354 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2355 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 2356 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f32430" } ], "repeated": 0, "id": 2357 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f74000" } ], "repeated": 0, "id": 2358 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f306b0" } ], "repeated": 0, "id": 2359 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f6c1e0" } ], "repeated": 0, "id": 2360 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f65220" } ], "repeated": 0, "id": 2361 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f5f4e0" } ], "repeated": 0, "id": 2362 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000454" }, { "name": "MutexName", "value": "Local\\SM0:3412:168:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 2363 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000454" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2364 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2365 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000458" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2366 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000458" } ], "repeated": 0, "id": 2367 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000454" } ], "repeated": 1, "id": 2368 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2369 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "RegisterClassExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75d50880" } ], "repeated": 0, "id": 2370 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2371 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2372 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "CreateWindowExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75d51ac0" } ], "repeated": 0, "id": 2373 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2374 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2375 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "DefWindowProcW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f87d50" } ], "repeated": 0, "id": 2376 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2377 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2378 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "SetWindowLongW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75d57cc0" } ], "repeated": 0, "id": 2379 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2380 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2381 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "SetTimer" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75d61230" } ], "repeated": 0, "id": 2382 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2383 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2384 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "2612" }, { "name": "FunctionAddress", "value": "0x75d62ee0" } ], "repeated": 0, "id": 2385 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2386 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2387 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "GetWindowLongW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75d5adb0" } ], "repeated": 0, "id": 2388 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2389 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2390 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "GetWindowThreadProcessId" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75d5cef0" } ], "repeated": 0, "id": 2391 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2392 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2393 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "SendMessageCallbackW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75d62670" } ], "repeated": 0, "id": 2394 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2395 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000458" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 2396 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2397 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x75760000" }, { "name": "FunctionName", "value": "CoCreateGuid" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75819180" } ], "repeated": 0, "id": 2398 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2399 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2400 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06da0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2401 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2402 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x75d20000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "2582" }, { "name": "FunctionAddress", "value": "0x75d62960" } ], "repeated": 0, "id": 2403 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x73404000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2404 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2405 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "srand", "status": true, "return": "0x00000000", "arguments": [ { "name": "seed", "value": "0x6a42444b" } ], "repeated": 0, "id": 2406 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2407 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 2408 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f32430" } ], "repeated": 0, "id": 2409 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f74000" } ], "repeated": 0, "id": 2410 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f306b0" } ], "repeated": 0, "id": 2411 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f6c1e0" } ], "repeated": 0, "id": 2412 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f65220" } ], "repeated": 0, "id": 2413 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f5f4e0" } ], "repeated": 0, "id": 2414 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x0000046c" }, { "name": "MutexName", "value": "Local\\SM0:3412:168:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 2415 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2416 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2417 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000470" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2418 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000470" } ], "repeated": 0, "id": 2419 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046c" } ], "repeated": 1, "id": 2420 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2421 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000470" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000000ec" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows" } ], "repeated": 0, "id": 2422 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000470" }, { "name": "ValueName", "value": "IsVailContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IsVailContainer" } ], "repeated": 0, "id": 2423 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000470" } ], "repeated": 0, "id": 2424 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2425 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000470" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x000000ec" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Input" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Input" } ], "repeated": 0, "id": 2426 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000470" }, { "name": "ValueName", "value": "ResyncResetTime" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\ResyncResetTime" } ], "repeated": 0, "id": 2427 }, { "timestamp": "2026-06-28 21:56:18,652", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000470" }, { "name": "ValueName", "value": "MaxResyncAttempts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\MaxResyncAttempts" } ], "repeated": 0, "id": 2428 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000470" } ], "repeated": 0, "id": 2429 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7374e000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2430 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7374e000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2431 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7374e000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2432 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7374e000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2433 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7374e000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2434 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7374e000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2435 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7374e000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2436 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7374e000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2437 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x769a7000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2438 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x769a7000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2439 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "iertutil.dll" }, { "name": "ModuleHandle", "value": "0x73d80000" } ], "repeated": 0, "id": 2440 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x769a7000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2441 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x769a7000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2442 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 2443 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlGetDeviceFamilyInfoEnum" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f6b9c0" } ], "repeated": 0, "id": 2444 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Kernel-OneCore-DeviceFamilyID" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 2445 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2446 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2447 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2448 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2449 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2450 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000470" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000ec" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE" } ], "repeated": 0, "id": 2451 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000470" }, { "name": "ValueName", "value": "LaunchUserOOBE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE" } ], "repeated": 0, "id": 2452 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000470" } ], "repeated": 0, "id": 2453 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" } ], "repeated": 0, "id": 2454 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000045c" } ], "repeated": 0, "id": 2455 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000440" } ], "repeated": 0, "id": 2456 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000448" } ], "repeated": 0, "id": 2457 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000444" } ], "repeated": 0, "id": 2458 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000458" } ], "repeated": 0, "id": 2459 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000468" } ], "repeated": 0, "id": 2460 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "956", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2461 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "956", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 2462 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "956", "caller": "0x75b9106a", "parentcaller": "0x733cc005", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000043c" } ], "repeated": 0, "id": 2463 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "956", "caller": "0x75b9106a", "parentcaller": "0x733a126a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000468" } ], "repeated": 0, "id": 2464 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "956", "caller": "0x733d26f6", "parentcaller": "0x733b2161", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000464" } ], "repeated": 0, "id": 2465 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "524", "caller": "0x76f66416", "parentcaller": "0x76f66321", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2466 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "524", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 2467 }, { "timestamp": "2026-06-28 21:56:18,668", "thread_id": "3636", "caller": "0x00e5c565", "parentcaller": "0x00e5cbb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000340" } ], "repeated": 0, "id": 2468 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00e2a75b", "parentcaller": "0x00e2d020", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\Privileged" } ], "repeated": 0, "id": 2469 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00e2befa", "parentcaller": "0x00e2af45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d4" } ], "repeated": 0, "id": 2470 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00e2befa", "parentcaller": "0x00e2af45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" } ], "repeated": 0, "id": 2471 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00e2befa", "parentcaller": "0x00e2af45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 2472 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00e2befa", "parentcaller": "0x00e2af45", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x75450000" } ], "repeated": 0, "id": 2473 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00e7262f", "parentcaller": "0x00e2af7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 2474 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00e72640", "parentcaller": "0x00e2af7d", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2475 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00e72640", "parentcaller": "0x00e2af7d", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 2476 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3536", "caller": "0x76f6b4e6", "parentcaller": "0x7514fa30", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3536" } ], "repeated": 0, "id": 2477 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3536", "caller": "0x76f2fae4", "parentcaller": "0x76f2f7cb", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00702000" }, { "name": "RegionSize", "value": "0x00018000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 2478 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3536", "caller": "0x76f2fae4", "parentcaller": "0x76f2f7cb", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006ca000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 2479 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3536", "caller": "0x76f6b509", "parentcaller": "0x7514fa30", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 2480 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00e726e7", "parentcaller": "0x00e2af7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" } ], "repeated": 0, "id": 2481 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00e726fd", "parentcaller": "0x00e2af7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000030c" } ], "repeated": 0, "id": 2482 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e25682", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0510d000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2483 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e25682", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x050ab000" }, { "name": "RegionSize", "value": "0x00061000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 2484 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e25682", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0510d000" }, { "name": "RegionSize", "value": "0x00041000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 2485 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e25682", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05089000" }, { "name": "RegionSize", "value": "0x00020000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 2486 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e25682", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04e5a000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 2487 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e25682", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05074000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 2488 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00e22d0a", "parentcaller": "0x00e25682", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05a04000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 2489 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00edde99", "parentcaller": "0x00eddec1", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "mscoree.dll" }, { "name": "ModuleHandle", "value": "0x113d9577" } ], "repeated": 0, "id": 2490 }, { "timestamp": "2026-06-28 21:56:18,683", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "ExitCode", "value": "0x00000001" } ], "repeated": 0, "id": 2491 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernel32.dll" }, { "name": "ModuleHandle", "value": "0x75130000" } ], "repeated": 0, "id": 2492 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernelbase.dll" }, { "name": "ModuleHandle", "value": "0x75a80000" } ], "repeated": 0, "id": 2493 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046c" } ], "repeated": 0, "id": 2494 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042c" } ], "repeated": 0, "id": 2495 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000430" } ], "repeated": 0, "id": 2496 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000434" } ], "repeated": 0, "id": 2497 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000428" } ], "repeated": 0, "id": 2498 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000424" } ], "repeated": 0, "id": 2499 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 2500 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f5f4e0" } ], "repeated": 0, "id": 2501 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000360" } ], "repeated": 0, "id": 2502 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000420" } ], "repeated": 0, "id": 2503 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 2504 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f5f4e0" } ], "repeated": 0, "id": 2505 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 2506 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f5f4e0" } ], "repeated": 0, "id": 2507 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 2508 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 0, "id": 2509 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000338" } ], "repeated": 0, "id": 2510 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00d20000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 2511 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000358" } ], "repeated": 0, "id": 2512 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 2513 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f5f4e0" } ], "repeated": 0, "id": 2514 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000390" } ], "repeated": 0, "id": 2515 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 0, "id": 2516 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 2517 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000039c" } ], "repeated": 0, "id": 2518 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a0" } ], "repeated": 0, "id": 2519 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 2520 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 2521 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 2522 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 2523 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 2524 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000038c" } ], "repeated": 0, "id": 2525 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000380" } ], "repeated": 0, "id": 2526 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 2527 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f5f4e0" } ], "repeated": 0, "id": 2528 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d0" } ], "repeated": 0, "id": 2529 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002dc" } ], "repeated": 0, "id": 2530 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 2531 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e8" } ], "repeated": 0, "id": 2532 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" } ], "repeated": 0, "id": 2533 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f0" } ], "repeated": 0, "id": 2534 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 2535 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" } ], "repeated": 0, "id": 2536 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 2537 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000300" } ], "repeated": 0, "id": 2538 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000304" } ], "repeated": 0, "id": 2539 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 2540 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" } ], "repeated": 0, "id": 2541 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 2542 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 2543 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 2544 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 2545 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 2546 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000023c" } ], "repeated": 0, "id": 2547 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000240" } ], "repeated": 0, "id": 2548 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000238" } ], "repeated": 0, "id": 2549 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 2550 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000218" } ], "repeated": 0, "id": 2551 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" } ], "repeated": 0, "id": 2552 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000020c" } ], "repeated": 0, "id": 2553 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 2554 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f5f4e0" } ], "repeated": 0, "id": 2555 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000208" } ], "repeated": 0, "id": 2556 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000204" } ], "repeated": 0, "id": 2557 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 2558 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlGetDeviceFamilyInfoEnum" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f6b9c0" } ], "repeated": 0, "id": 2559 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Kernel-OneCore-DeviceFamilyID" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 2560 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": false, "return": "0xffffffffc0000008", "pretty_return": "INVALID_HANDLE", "arguments": [ { "name": "Handle", "value": "0x00000000" } ], "repeated": 1, "id": 2561 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 2562 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f5f4e0" } ], "repeated": 0, "id": 2563 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001ec" } ], "repeated": 0, "id": 2564 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001f0" } ], "repeated": 0, "id": 2565 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 2566 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f5f4e0" } ], "repeated": 0, "id": 2567 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001e8" } ], "repeated": 0, "id": 2568 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 2569 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00690000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 2570 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" } ], "repeated": 0, "id": 2571 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001dc" } ], "repeated": 0, "id": 2572 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 2573 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f5f4e0" } ], "repeated": 0, "id": 2574 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d0" } ], "repeated": 0, "id": 2575 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001b8" } ], "repeated": 0, "id": 2576 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001bc" } ], "repeated": 0, "id": 2577 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001c0" } ], "repeated": 0, "id": 2578 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001c4" } ], "repeated": 0, "id": 2579 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001c8" } ], "repeated": 0, "id": 2580 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001cc" } ], "repeated": 0, "id": 2581 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d8" } ], "repeated": 0, "id": 2582 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d4" } ], "repeated": 0, "id": 2583 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001b4" } ], "repeated": 0, "id": 2584 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001ac" } ], "repeated": 0, "id": 2585 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001b0" } ], "repeated": 0, "id": 2586 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001a4" } ], "repeated": 0, "id": 2587 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001a8" } ], "repeated": 0, "id": 2588 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001a0" } ], "repeated": 0, "id": 2589 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000019c" } ], "repeated": 0, "id": 2590 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000198" } ], "repeated": 0, "id": 2591 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x755b2000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2592 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x755b2000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2593 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000184" } ], "repeated": 0, "id": 2594 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000188" } ], "repeated": 0, "id": 2595 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000180" } ], "repeated": 0, "id": 2596 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 2597 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f5f4e0" } ], "repeated": 0, "id": 2598 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000017c" } ], "repeated": 0, "id": 2599 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000178" } ], "repeated": 0, "id": 2600 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000174" } ], "repeated": 0, "id": 2601 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000170" } ], "repeated": 0, "id": 2602 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 2603 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 2604 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 2605 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f5f4e0" } ], "repeated": 0, "id": 2606 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000150" } ], "repeated": 0, "id": 2607 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000154" } ], "repeated": 0, "id": 2608 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000158" } ], "repeated": 0, "id": 2609 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000158" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" } ], "repeated": 0, "id": 2610 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000158" }, { "name": "ValueName", "value": "DisableMetaFiles" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles" } ], "repeated": 0, "id": 2611 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000158" } ], "repeated": 0, "id": 2612 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000158" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" } ], "repeated": 0, "id": 2613 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000158" }, { "name": "ValueName", "value": "DisableUmpdBufferSizeCheck" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck" } ], "repeated": 0, "id": 2614 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000158" } ], "repeated": 0, "id": 2615 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05b40000" }, { "name": "RegionSize", "value": "0x01260000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 2616 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" } ], "repeated": 0, "id": 2617 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 2618 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006e1000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 2619 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006e1000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2620 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000134" } ], "repeated": 0, "id": 2621 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000138" } ], "repeated": 0, "id": 2622 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000013c" } ], "repeated": 0, "id": 2623 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000140" } ], "repeated": 0, "id": 2624 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000144" } ], "repeated": 0, "id": 2625 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000014c" } ], "repeated": 0, "id": 2626 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000148" } ], "repeated": 0, "id": 2627 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" } ], "repeated": 0, "id": 2628 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000118" } ], "repeated": 0, "id": 2629 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000110" } ], "repeated": 0, "id": 2630 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000010c" } ], "repeated": 0, "id": 2631 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000104" } ], "repeated": 0, "id": 2632 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000108" } ], "repeated": 0, "id": 2633 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f8" } ], "repeated": 0, "id": 2634 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000fc" } ], "repeated": 0, "id": 2635 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000100" } ], "repeated": 0, "id": 2636 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f5f4e0" } ], "repeated": 0, "id": 2637 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000e8" } ], "repeated": 0, "id": 2638 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000d0" } ], "repeated": 0, "id": 2639 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000d4" } ], "repeated": 0, "id": 2640 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000d8" } ], "repeated": 0, "id": 2641 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000dc" } ], "repeated": 0, "id": 2642 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000e0" } ], "repeated": 0, "id": 2643 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000e4" } ], "repeated": 0, "id": 2644 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000c4" } ], "repeated": 0, "id": 2645 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000cc" } ], "repeated": 0, "id": 2646 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" } ], "repeated": 0, "id": 2647 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f00000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76f5f4e0" } ], "repeated": 0, "id": 2648 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" } ], "repeated": 0, "id": 2649 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006ca000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2650 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006e1000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 2651 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x006ca000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 2652 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000ac" } ], "repeated": 0, "id": 2653 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000a8" } ], "repeated": 0, "id": 2654 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000a4" } ], "repeated": 0, "id": 2655 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000094" } ], "repeated": 0, "id": 2656 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000098" } ], "repeated": 0, "id": 2657 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000a0" } ], "repeated": 0, "id": 2658 }, { "timestamp": "2026-06-28 21:56:18,699", "thread_id": "3636", "caller": "0x00eddecb", "parentcaller": "0x00eddff7", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "ExitCode", "value": "0x00000001" } ], "repeated": 0, "id": 2659 } ], "threads": [ "3636", "2296", "2520", "4744", "4992", "3536", "4784", "3960", "3548", "2136", "956", "524" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\AcroRd32.exe\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf\"", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x00e20000", "MainExeSize": "0x00151000", "Bitness": "32-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } } ], "anomaly": [], "processtree": [ { "name": "AcroRd32.exe", "pid": 3412, "parent_id": 2892, "module_path": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\AcroRd32.exe", "children": [], "threads": [ "3636", "2296", "2520", "4744", "4992", "3536", "4784", "3960", "3548", "2136", "956", "524" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\AcroRd32.exe\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf\"", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x00e20000", "MainExeSize": "0x00151000", "Bitness": "32-bit" } } ], "summary": { "files": [ "C:\\Windows\\System32\\ntmarta.dll", "C:\\Windows\\System32\\kernel.appcore.dll", "C:\\Windows\\System32\\bcryptPrimitives.dll", "\\Device\\CNG", "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\plug_ins\\Test_Tools\\Automation.api", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf", "C:\\Users", "C:\\Users\\Rajesh", "C:\\Users\\Rajesh\\AppData", "C:\\Users\\Rajesh\\AppData\\Local", "C:\\Users\\Rajesh\\AppData\\Local\\Temp", "C:\\", "C:\\Users\\Rajesh\\Desktop\\TD DDF.pdf", "C:\\Users\\Rajesh\\Desktop", "C:\\Windows\\System32\\KBDUS.DLL", "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\plug_ins\\Test_Tools\\aaFEAT.api", "C:\\Windows\\System32\\windows.storage.dll", "C:\\Windows\\System32\\wldp.dll", "C:\\Program Files (x86)\\*", "C:\\Program Files (x86)", "C:\\Windows\\*", "C:\\Windows", "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\*", "C:\\Program Files (x86)\\Adobe\\Reader 11.0", "C:\\Program Files (x86)\\Adobe", "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\", "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\*", "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\Privileged\\11.0\\*", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\Privileged\\11.0", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\Privileged", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat", "C:\\Users\\Rajesh\\AppData\\Roaming", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Crypto", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft", "C:\\Users\\Rajesh\\AppData\\Roaming\\Arcot\\Ids\\*", "C:\\Users\\Rajesh\\AppData\\Roaming\\Arcot\\Ids", "C:\\Users\\Rajesh\\AppData\\Roaming\\Arcot", "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Outlook\\*", "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Outlook", "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Outlook\\*", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Outlook", "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\INetCache\\*", "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\INetCache", "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\8.0\\*", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\8.0", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\*", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\9.0", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\acrord32_sbx", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\acrord32_sbx\\*", "C:\\Windows\\System32", "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Acrobat\\11.0", "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Acrobat\\11.0\\*", "C:\\Users\\Rajesh\\AppData\\LocalLow", "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe", "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Acrobat", "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Linguistics", "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Linguistics\\*", "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft\\IMJP*\\*", "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft\\IMJP*", "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft", "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft\\IME*\\*", "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft\\IME*", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\11.0", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\11.0\\*", "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Acrobat\\11.0", "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Acrobat\\11.0\\*", "C:\\Users\\Rajesh\\AppData\\Local\\Adobe", "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Acrobat", "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Color", "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Color\\*", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Linguistics", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Linguistics\\*", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Speech", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Speech\\*", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\LogTransport2", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\LogTransport2\\*", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Headlights", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Headlights\\*", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*", "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Flash Player", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\IME*\\*", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\IME*", "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\IME*\\*", "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\IME*", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\IMJP*\\*", "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\IMJP*", "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\IMJP*\\*", "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\IMJP*", "C:\\Users\\Rajesh\\Documents\\ArcotIDs\\*", "C:\\Users\\Rajesh\\Documents\\ArcotIDs", "C:\\Users\\Rajesh\\Documents", "C:\\Users\\Rajesh\\AppData\\Local\\Lotus\\Notes\\Data", "C:\\Users\\Rajesh\\AppData\\Roaming\\Intuit\\Quicken\\Log", "C:\\Users\\Rajesh\\AppData\\Roaming\\Justsystem", "C:\\Users\\Rajesh\\AppData\\Roaming\\Enfocus Prefs Folder", "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\AcroRd32.exe.3.Manifest", "C:\\Windows\\System32\\msctf.dll", "C:\\Windows\\Fonts\\staticcache.dat", "C:\\Windows\\System32\\TextShaping.dll", "C:\\Windows\\System32\\textinputframework.dll", "C:\\Windows\\System32\\CoreUIComponents.dll", "C:\\Windows\\System32\\CoreMessaging.dll", "C:\\Windows\\System32\\WinTypes.dll", "C:\\Windows\\SystemResources\\USER32.dll.mun" ], "read_files": [], "write_files": [], "delete_files": [], "keys": [ "HKEY_LOCAL_MACHINE\\Software\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown\\bProtectedMode", "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\Privileged", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnableAlternateTempDirectory", "bEnableAlternateTempDirectory", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnableAlternateLaunchDesktop", "bEnableAlternateLaunchDesktop", "HKEY_LOCAL_MACHINE\\Software\\Adobe\\Adobe Acrobat\\11.0\\Security", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnforceReadRestrictions", "bEnforceReadRestrictions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnableGlobalAtomRestrictions", "bEnableGlobalAtomRestrictions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bPreventCreatingExecutables", "bPreventCreatingExecutables", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnableBinaryPlantingProtection", "bEnableBinaryPlantingProtection", "HKEY_LOCAL_MACHINE\\Software\\Adobe\\Acrobat Reader\\11.0\\Installer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Adobe\\Acrobat Reader\\11.0\\Installer\\Path", "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\AVGeneral", "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\iMaxMRUCnt", "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c1", "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c1\\aFS", "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c1\\tDIText", "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c1\\sDI", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown\\bDisableCryptBroker", "HKEY_CURRENT_USER", "HKEY_CURRENT_USER\\Keyboard Layout\\Preload", "HKEY_CURRENT_USER\\Keyboard Layout\\Preload\\1", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Keyboard Layouts\\00000409", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Keyboard Layouts\\00000409\\Layout File", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Keyboard Layouts\\00000409\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown\\bUseWhitelistConfigFile", "HKEY_CURRENT_USER\\", "HKEY_CLASSES_ROOT\\", "HKEY_LOCAL_MACHINE\\", "HKEY_USERS\\", "HKEY_CURRENT_CONFIG\\", "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Acrobat\\11.0", "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0", "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\11.0", "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe ARM\\1.0\\ARM", "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader 11", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Justsystem\\ATOK\\Setup\\Folder", "Atok23", "Atok24", "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0\\Language\\current\\", "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\Language\\current\\(Default)", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\System", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\AcroRd32.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\CTF\\EnableAnchorContext", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\MS Shell Dlg 2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\AppCompatClassName", "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IsVailContainer", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Input", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\ResyncResetTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\MaxResyncAttempts", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck" ], "read_keys": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown\\bProtectedMode", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnableAlternateTempDirectory", "bEnableAlternateTempDirectory", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnableAlternateLaunchDesktop", "bEnableAlternateLaunchDesktop", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnforceReadRestrictions", "bEnforceReadRestrictions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnableGlobalAtomRestrictions", "bEnableGlobalAtomRestrictions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bPreventCreatingExecutables", "bPreventCreatingExecutables", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnableBinaryPlantingProtection", "bEnableBinaryPlantingProtection", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Adobe\\Acrobat Reader\\11.0\\Installer\\Path", "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\iMaxMRUCnt", "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c1\\aFS", "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c1\\tDIText", "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c1\\sDI", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown\\bDisableCryptBroker", "HKEY_CURRENT_USER\\Keyboard Layout\\Preload\\1", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Keyboard Layouts\\00000409\\Layout File", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Keyboard Layouts\\00000409\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown\\bUseWhitelistConfigFile", "Atok23", "Atok24", "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\Language\\current\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\CTF\\EnableAnchorContext", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IsVailContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\ResyncResetTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\MaxResyncAttempts", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck" ], "write_keys": [], "delete_keys": [], "executed_commands": [], "resolved_apis": [], "mutexes": [ "Global\\ARM Update Mutex", "Global\\Acro Update Mutex", "{100184D2-BDC3-477a-B8D3-65548B67914C}_3412", "Local\\SM0:3412:168:WilStaging_02", "Local\\MSCTF.Asm.MutexDefault2", "CicLoadWinStaWinSta0", "Local\\MSCTF.CtfMonitorInstMutexDefault2" ], "created_services": [], "started_services": [] }, "enhanced": [ { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,230", "eid": 1, "data": { "file": "KERNEL32.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,230", "eid": 2, "data": { "file": "KERNEL32.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,230", "eid": 3, "data": { "file": "SHELL32.dll", "pathtofile": null, "moduleaddress": "0x76320000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,230", "eid": 4, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,230", "eid": 5, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown\\bProtectedMode", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,230", "eid": 6, "data": { "file": "sftldr.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,230", "eid": 7, "data": { "file": "sftldr_wow64.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-06-28 21:56:15,230", "eid": 8, "data": { "classname": "32770", "windowname": "_AcroAppTimer" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,230", "eid": 9, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnableAlternateTempDirectory", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,230", "eid": 10, "data": { "regkey": "bEnableAlternateTempDirectory", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,230", "eid": 11, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnableAlternateLaunchDesktop", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,230", "eid": 12, "data": { "regkey": "bEnableAlternateLaunchDesktop", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,230", "eid": 13, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,230", "eid": 14, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-06-28 21:56:15,230", "eid": 15, "data": { "classname": "AdobeAcrobatSpeedLaunchCmdWnd", "windowname": "" } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-06-28 21:56:15,230", "eid": 16, "data": { "classname": "AdobeReaderSpeedLaunchCmdWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,230", "eid": 17, "data": { "file": "ole32.dll", "pathtofile": null, "moduleaddress": "0x754f0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,230", "eid": 18, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,246", "eid": 19, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,246", "eid": 20, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,246", "eid": 21, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,246", "eid": 22, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,246", "eid": 23, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnforceReadRestrictions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,246", "eid": 24, "data": { "regkey": "bEnforceReadRestrictions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,246", "eid": 25, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnableGlobalAtomRestrictions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,246", "eid": 26, "data": { "regkey": "bEnableGlobalAtomRestrictions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,246", "eid": 27, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bPreventCreatingExecutables", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,246", "eid": 28, "data": { "regkey": "bPreventCreatingExecutables", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,246", "eid": 29, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\bEnableBinaryPlantingProtection", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,246", "eid": 30, "data": { "regkey": "bEnableBinaryPlantingProtection", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,246", "eid": 31, "data": { "file": "ADVAPI32.DLL", "pathtofile": null, "moduleaddress": "0x75670000" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,246", "eid": 32, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Adobe\\Acrobat Reader\\11.0\\Installer\\Path", "content": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,246", "eid": 33, "data": { "file": "C:\\Windows\\System32\\uxtheme.dll", "pathtofile": null, "moduleaddress": "0x74330000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,277", "eid": 34, "data": { "file": "MPR.dll", "pathtofile": null, "moduleaddress": "0x74000000" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,277", "eid": 35, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\iMaxMRUCnt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,277", "eid": 36, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c1\\aFS", "content": "DOS" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,277", "eid": 37, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c1\\tDIText", "content": "/C/Users/Rajesh/Desktop/TD DDF.pdf" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,277", "eid": 38, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c1\\sDI", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,277", "eid": 39, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\AVGeneral\\cRecentFiles\\c1\\sDI", "content": "/C/Users/Rajesh/Desktop/TD DDF.pdf\\x00" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,293", "eid": 40, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,293", "eid": 41, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,293", "eid": 42, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown\\bDisableCryptBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,293", "eid": 43, "data": { "regkey": "HKEY_CURRENT_USER\\Keyboard Layout\\Preload\\1", "content": "00000409" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,293", "eid": 44, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Keyboard Layouts\\00000409\\Layout File", "content": "KBDUS.DLL" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,293", "eid": 45, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Keyboard Layouts\\00000409\\Attributes", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 46, "data": { "file": "KBDUS.DLL", "pathtofile": null, "moduleaddress": "0x73a20000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 47, "data": { "file": "adialhk.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 48, "data": { "file": "acpiz.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 49, "data": { "file": "avgrsstx.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 50, "data": { "file": "babylonchromepi.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 51, "data": { "file": "babylo~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 52, "data": { "file": "btkeyind.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 53, "data": { "file": "cmcsyshk.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 54, "data": { "file": "cmsetac.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 55, "data": { "file": "cooliris.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 56, "data": { "file": "dockshellhook.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 57, "data": { "file": "docksh~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 58, "data": { "file": "easyhook32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 59, "data": { "file": "easyho~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 60, "data": { "file": "googledesktopnetwork3.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 61, "data": { "file": "google~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 62, "data": { "file": "fwhook.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 63, "data": { "file": "hookprocesscreation.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 64, "data": { "file": "hookpr~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 65, "data": { "file": "hookterminateapis.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 66, "data": { "file": "hookte~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 67, "data": { "file": "hookprintapis.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 68, "data": { "file": "hookpr~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 69, "data": { "file": "imon.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 70, "data": { "file": "ioloHL.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 71, "data": { "file": "kloehk.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 72, "data": { "file": "lawenforcer.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 73, "data": { "file": "lawenf~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 74, "data": { "file": "libdivx.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 75, "data": { "file": "lvprcinj01.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 76, "data": { "file": "lvprci~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 77, "data": { "file": "madchook.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 78, "data": { "file": "mdnsnsp.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 79, "data": { "file": "moonsysh.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 80, "data": { "file": "mpk.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 81, "data": { "file": "npdivx32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 82, "data": { "file": "npggNT.des", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 83, "data": { "file": "npggNT.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 84, "data": { "file": "oawatch.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 85, "data": { "file": "owexplorer-10513.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 86, "data": { "file": "owexpl~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 87, "data": { "file": "owexplorer-10514.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 88, "data": { "file": "owexpl~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 89, "data": { "file": "owexplorer-10515.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 90, "data": { "file": "owexpl~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 91, "data": { "file": "owexplorer-10516.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 92, "data": { "file": "owexpl~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 93, "data": { "file": "owexplorer-10517.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 94, "data": { "file": "owexpl~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 95, "data": { "file": "owexplorer-10518.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 96, "data": { "file": "owexpl~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 97, "data": { "file": "owexplorer-10519.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 98, "data": { "file": "owexpl~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 99, "data": { "file": "owexplorer-10520.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 100, "data": { "file": "owexpl~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 101, "data": { "file": "owexplorer-10521.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 102, "data": { "file": "owexpl~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 103, "data": { "file": "owexplorer-10522.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 104, "data": { "file": "owexpl~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 105, "data": { "file": "owexplorer-10523.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 106, "data": { "file": "owexpl~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 107, "data": { "file": "pavhook.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 108, "data": { "file": "pavlsphook.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 109, "data": { "file": "pavlsp~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 110, "data": { "file": "pavshook.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 111, "data": { "file": "pavshookwow.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 112, "data": { "file": "pavsho~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 113, "data": { "file": "pctavhook.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 114, "data": { "file": "pctavh~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 115, "data": { "file": "pctgmhk.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 116, "data": { "file": "prntrack.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 117, "data": { "file": "protector.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 118, "data": { "file": "protec~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 119, "data": { "file": "radhslib.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 120, "data": { "file": "radprlib.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 121, "data": { "file": "rapportnikko.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 122, "data": { "file": "rappor~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 123, "data": { "file": "rlhook.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 124, "data": { "file": "rooksdol.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 125, "data": { "file": "rpchromebrowserrecordhelper.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 126, "data": { "file": "rpchro~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 127, "data": { "file": "r3hook.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 128, "data": { "file": "sahook.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 129, "data": { "file": "sbrige.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 130, "data": { "file": "sc2hook.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 131, "data": { "file": "sdhook32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 132, "data": { "file": "sguard.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 133, "data": { "file": "smum32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 134, "data": { "file": "smumhook.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 135, "data": { "file": "ssldivx.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 136, "data": { "file": "syncor11.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 137, "data": { "file": "systools.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 138, "data": { "file": "tfwah.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 139, "data": { "file": "wblind.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 140, "data": { "file": "wbhelp.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 141, "data": { "file": "winstylerthemehelper.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,308", "eid": 142, "data": { "file": "winsty~1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,308", "eid": 143, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\11.0\\FeatureLockDown\\bUseWhitelistConfigFile", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,308", "eid": 144, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Adobe\\Acrobat Reader\\11.0\\Installer\\Path", "content": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,418", "eid": 145, "data": { "file": "api-ms-win-core-synch-l1-2-0.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,433", "eid": 146, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Adobe\\Acrobat Reader\\11.0\\Installer\\Path", "content": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,433", "eid": 147, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x75130000" } }, { "event": "create", "object": "dir", "timestamp": "2026-06-28 21:56:15,558", "eid": 148, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\acrord32_sbx" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,574", "eid": 149, "data": { "file": "C:\\Windows\\System32\\shell32.dll", "pathtofile": null, "moduleaddress": "0x76320000" } }, { "event": "create", "object": "dir", "timestamp": "2026-06-28 21:56:15,574", "eid": 150, "data": { "file": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Acrobat\\11.0" } }, { "event": "create", "object": "dir", "timestamp": "2026-06-28 21:56:15,605", "eid": 151, "data": { "file": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Linguistics" } }, { "event": "create", "object": "dir", "timestamp": "2026-06-28 21:56:15,621", "eid": 152, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\11.0" } }, { "event": "create", "object": "dir", "timestamp": "2026-06-28 21:56:15,636", "eid": 153, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Acrobat\\11.0" } }, { "event": "create", "object": "dir", "timestamp": "2026-06-28 21:56:15,652", "eid": 154, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Color" } }, { "event": "create", "object": "dir", "timestamp": "2026-06-28 21:56:15,652", "eid": 155, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Linguistics" } }, { "event": "create", "object": "dir", "timestamp": "2026-06-28 21:56:15,652", "eid": 156, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Speech" } }, { "event": "create", "object": "dir", "timestamp": "2026-06-28 21:56:15,652", "eid": 157, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\LogTransport2" } }, { "event": "create", "object": "dir", "timestamp": "2026-06-28 21:56:15,668", "eid": 158, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Headlights" } }, { "event": "create", "object": "dir", "timestamp": "2026-06-28 21:56:15,668", "eid": 159, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,715", "eid": 160, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,715", "eid": 161, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,715", "eid": 162, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,715", "eid": 163, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,715", "eid": 164, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,715", "eid": 165, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,715", "eid": 166, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,715", "eid": 167, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,715", "eid": 168, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,715", "eid": 169, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,715", "eid": 170, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,715", "eid": 171, "data": { "regkey": "HKEY_CLASSES_ROOT\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,715", "eid": 172, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,715", "eid": 173, "data": { "regkey": "HKEY_LOCAL_MACHINE\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,715", "eid": 174, "data": { "regkey": "HKEY_USERS\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,715", "eid": 175, "data": { "regkey": "HKEY_CURRENT_CONFIG\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 176, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Acrobat\\11.0" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 177, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 178, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 179, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\11.0" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 180, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 181, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 182, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\11.0" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 183, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 184, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 185, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe ARM\\1.0\\ARM" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 186, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 187, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 188, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader 11" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 189, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 190, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 191, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 192, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 193, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 194, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 195, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 196, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 197, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 198, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 199, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 200, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 201, "data": { "regkey": "HKEY_CURRENT_USER\\" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 202, "data": { "regkey": "Atok23", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 203, "data": { "regkey": "Atok24", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,730", "eid": 204, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 205, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\11.0\\Language\\current\\(Default)", "content": "acrord32.dll" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,730", "eid": 206, "data": { "file": "Kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,730", "eid": 207, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,746", "eid": 208, "data": { "file": "Comctl32.dll", "pathtofile": null, "moduleaddress": "0x73800000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,777", "eid": 209, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,793", "eid": 210, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x73800000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,793", "eid": 211, "data": { "file": "user32", "pathtofile": null, "moduleaddress": "0x75d20000" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,793", "eid": 212, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,793", "eid": 213, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x73800000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,808", "eid": 214, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x73800000" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,808", "eid": 215, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,808", "eid": 216, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath", "content": "C:\\Windows\\Fonts\\staticcache.dat" } }, { "event": "read", "object": "file", "timestamp": "2026-06-28 21:56:15,808", "eid": 217, "data": { "file": "C:\\Windows\\Fonts\\StaticCache.dat" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,824", "eid": 218, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,824", "eid": 219, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2", "content": "SimSun-ExtB" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,824", "eid": 220, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,824", "eid": 221, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,824", "eid": 222, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,824", "eid": 223, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,824", "eid": 224, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,824", "eid": 225, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,824", "eid": 226, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,824", "eid": 227, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,824", "eid": 228, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,824", "eid": 229, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,824", "eid": 230, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,824", "eid": 231, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,824", "eid": 232, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,824", "eid": 233, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,840", "eid": 234, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,840", "eid": 235, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,840", "eid": 236, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,980", "eid": 237, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,980", "eid": 238, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\CTF\\EnableAnchorContext", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,980", "eid": 239, "data": { "file": "USER32", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:16,011", "eid": 240, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:16,011", "eid": 241, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:17,621", "eid": 242, "data": { "file": "C:\\Windows\\System32\\msctf.dll", "pathtofile": null, "moduleaddress": "0x768e0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,652", "eid": 243, "data": { "file": "ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,652", "eid": 244, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,652", "eid": 245, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:18,652", "eid": 246, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IsVailContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:18,652", "eid": 247, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\ResyncResetTime", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:18,652", "eid": 248, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\MaxResyncAttempts", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,668", "eid": 249, "data": { "file": "iertutil.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,668", "eid": 250, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:18,668", "eid": 251, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,683", "eid": 252, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,683", "eid": 253, "data": { "file": "mscoree.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,699", "eid": 254, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,699", "eid": 255, "data": { "file": "kernelbase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,699", "eid": 256, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,699", "eid": 257, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,699", "eid": 258, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,699", "eid": 259, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,699", "eid": 260, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,699", "eid": 261, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,699", "eid": 262, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,699", "eid": 263, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,699", "eid": 264, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,699", "eid": 265, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,699", "eid": 266, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,699", "eid": 267, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:18,699", "eid": 268, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:18,699", "eid": 269, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:18,699", "eid": 270, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } } ], "encryptedbuffers": [], "network_map": { "endpoint_map": {}, "http_host_map": {}, "dns_intents": {}, "http_requests": [], "winhttp_sessions": [], "com_activations": [] } }, "debug": { "log": "2026-06-28 14:55:57,955 [root] INFO: Date set to: 20260629T10:08:52, timeout set to: 225\n2026-06-29 10:08:52,203 [root] DEBUG: Starting analyzer from: C:\\7d7wfxi0\n2026-06-29 10:08:52,204 [root] DEBUG: Storing results at: C:\\cUJPOo\n2026-06-29 10:08:52,206 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\pcWTWbc\n2026-06-29 10:08:52,207 [root] DEBUG: Python path: C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\n2026-06-29 10:08:52,207 [root] INFO: analysis running as an admin\n2026-06-29 10:08:52,207 [root] INFO: analysis package specified: \"pdf\"\n2026-06-29 10:08:52,208 [root] DEBUG: importing analysis package module: \"modules.packages.pdf\"...\n2026-06-29 10:08:52,289 [root] DEBUG: imported analysis package \"pdf\"\n2026-06-29 10:08:52,290 [root] DEBUG: initializing analysis package \"pdf\"...\n2026-06-29 10:08:52,290 [lib.common.common] INFO: no wrapping\n2026-06-29 10:08:52,322 [lib.core.compound] INFO: C:\\Users\\Rajesh\\AppData\\Local\\Temp already exists, skipping creation\n2026-06-29 10:08:52,324 [root] DEBUG: New location of moved file: C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf\n2026-06-29 10:08:52,324 [root] INFO: Analyzer: Package modules.packages.pdf does not specify a dll option\n2026-06-29 10:08:52,325 [root] INFO: Analyzer: Package modules.packages.pdf does not specify a dll_64 option\n2026-06-29 10:08:52,325 [root] INFO: Analyzer: Package modules.packages.pdf does not specify a loader option\n2026-06-29 10:08:52,326 [root] INFO: Analyzer: Package modules.packages.pdf does not specify a loader_64 option\n2026-06-28 14:56:02,193 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2026-06-28 14:56:02,361 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2026-06-28 14:56:02,393 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2026-06-28 14:56:02,483 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2026-06-28 14:56:02,496 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2026-06-28 14:56:02,497 [lib.api.screenshot] ERROR: No module named 'PIL'\n2026-06-28 14:56:02,499 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2026-06-28 14:56:02,505 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2026-06-28 14:56:02,506 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2026-06-28 14:56:02,506 [root] DEBUG: attempting to configure 'Browser' from data\n2026-06-28 14:56:02,507 [root] DEBUG: module Browser does not support data configuration, ignoring\n2026-06-28 14:56:02,508 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2026-06-28 14:56:02,515 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2026-06-28 14:56:02,515 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2026-06-28 14:56:02,515 [root] DEBUG: attempting to configure 'DigiSig' from data\n2026-06-28 14:56:02,516 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2026-06-28 14:56:02,516 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2026-06-28 14:56:02,517 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2026-06-28 14:56:03,146 [modules.auxiliary.digisig] DEBUG: File has an invalid signature\n2026-06-28 14:56:03,147 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2026-06-28 14:56:03,157 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2026-06-28 14:56:03,158 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2026-06-28 14:56:03,158 [root] DEBUG: attempting to configure 'Disguise' from data\n2026-06-28 14:56:03,158 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2026-06-28 14:56:03,158 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2026-06-28 14:56:03,164 [modules.auxiliary.disguise] INFO: Launched background process notepad.exe hidden (PID: 3596)\n2026-06-28 14:56:03,170 [modules.auxiliary.disguise] INFO: Disguising GUID to 842c770e-8d4c-479e-81ce-001439b61ed1\n2026-06-28 14:56:03,170 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2026-06-28 14:56:03,171 [root] DEBUG: Initialized auxiliary module \"Human\"\n2026-06-28 14:56:03,171 [root] DEBUG: attempting to configure 'Human' from data\n2026-06-28 14:56:03,172 [root] DEBUG: module Human does not support data configuration, ignoring\n2026-06-28 14:56:03,172 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2026-06-28 14:56:03,173 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2026-06-28 14:56:03,174 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2026-06-28 14:56:03,174 [root] DEBUG: attempting to configure 'Screenshots' from data\n2026-06-28 14:56:03,175 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2026-06-28 14:56:03,175 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2026-06-28 14:56:03,180 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled\n2026-06-28 14:56:03,181 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2026-06-28 14:56:03,185 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2026-06-28 14:56:03,185 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2026-06-28 14:56:03,186 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2026-06-28 14:56:03,186 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2026-06-28 14:56:03,189 [modules.auxiliary.tlsdump] WARNING: Unable to find lsass.exe process\n2026-06-28 14:56:03,189 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2026-06-28 14:56:09,077 [root] INFO: Restarting WMI Service\n2026-06-28 14:56:11,332 [root] DEBUG: package modules.packages.pdf does not support configure, ignoring\n2026-06-28 14:56:11,334 [root] WARNING: configuration error for package modules.packages.pdf: error importing data.packages.pdf: No module named 'data.packages'\n2026-06-28 14:56:11,337 [lib.core.compound] INFO: C:\\Users\\Rajesh\\AppData\\Local\\Temp already exists, skipping creation\n2026-06-28 14:56:11,341 [lib.api.process] INFO: Successfully executed process from path \"C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\AcroRd32.exe\" with arguments \"\"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf\"\" with pid 3412\n2026-06-28 14:56:11,342 [lib.api.process] INFO: Monitor config for process 3412: C:\\7d7wfxi0\\dll\\3412.ini\n2026-06-28 14:56:11,348 [lib.api.process] INFO: Option 'pdf' with value '1' sent to monitor\n2026-06-28 14:56:12,861 [lib.api.process] INFO: 32-bit DLL to inject is C:\\7d7wfxi0\\dll\\hJaFnIOU.dll, loader C:\\7d7wfxi0\\bin\\wdHkqEG.exe\n2026-06-28 14:56:12,900 [root] DEBUG: Loader: Injecting process 3412 (thread 3636) with C:\\7d7wfxi0\\dll\\hJaFnIOU.dll.\n2026-06-28 14:56:12,904 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-28 14:56:12,906 [root] DEBUG: Successfully injected DLL C:\\7d7wfxi0\\dll\\hJaFnIOU.dll.\n2026-06-28 14:56:12,911 [lib.api.process] INFO: Injected into 32-bit \n2026-06-28 14:56:14,949 [lib.api.process] INFO: Successfully resumed process with pid 3412\n2026-06-28 14:56:14,967 [root] DEBUG: 3412: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-28 14:56:14,970 [root] DEBUG: 3412: Disabling sleep skipping.\n2026-06-28 14:56:14,972 [root] DEBUG: 3412: PDF (Adobe) settings enabled.\n2026-06-28 14:56:14,973 [root] DEBUG: 3412: Dropped file limit defaulting to 100.\n2026-06-28 14:56:15,007 [root] DEBUG: 3412: YaraInit: Compiled 44 rule files\n2026-06-28 14:56:15,011 [root] DEBUG: 3412: YaraInit: Compiled rules saved to file C:\\7d7wfxi0\\data\\yara\\capemon.yac\n2026-06-28 14:56:15,013 [root] DEBUG: 3412: YaraScan: Scanning 0x00E20000, size 0x14c906\n2026-06-28 14:56:15,030 [root] DEBUG: 3412: Monitor initialised: 32-bit capemon loaded in process 3412 at 0x73a70000, thread 3636, image base 0xe20000, stack from 0x4f2000-0x500000\n2026-06-28 14:56:15,032 [root] DEBUG: 3412: Commandline: \"C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\AcroRd32.exe\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\TD DDF.pdf\"\n2026-06-28 14:56:15,101 [root] DEBUG: 3412: hook_api: LdrpCallInitRoutine export address 0x76F72980 obtained via GetFunctionAddress\n2026-06-28 14:56:15,143 [root] DEBUG: 3412: hook_api: Trampoline creation failed for GetCommandLineA, retrying with HOOK_SAFEST\n2026-06-28 14:56:15,145 [root] DEBUG: 3412: hook_api: Trampoline creation failed for GetCommandLineW, retrying with HOOK_SAFEST\n2026-06-28 14:56:15,165 [root] DEBUG: 3412: Hooked 635 out of 635 functions\n2026-06-28 14:56:15,185 [root] DEBUG: 3412: Syscall hook installed, syscall logging level 1\n2026-06-28 14:56:15,206 [root] DEBUG: 3412: RestoreHeaders: Restored original import table.\n2026-06-28 14:56:15,208 [root] INFO: Loaded monitor into process with pid 3412\n2026-06-28 14:56:15,212 [root] DEBUG: 3412: caller_dispatch: Added region at 0x00E20000 to tracked regions list (kernel32::HeapCreate returns to 0x00E21324, thread 3636).\n2026-06-28 14:56:15,214 [root] DEBUG: 3412: YaraScan: Scanning 0x00E20000, size 0x14c906\n2026-06-28 14:56:15,230 [root] DEBUG: 3412: ProcessImageBase: Main module image at 0x00E20000 unmodified (entropy change 0.000000e+00)\n2026-06-28 14:56:15,238 [root] DEBUG: 3412: DLL loaded at 0x73A30000: C:\\Windows\\SYSTEM32\\ntmarta (0x29000 bytes).\n2026-06-28 14:56:15,246 [root] DEBUG: 3412: ProtectionHandler: Adding region at 0x74CF9000 to tracked regions.\n2026-06-28 14:56:15,247 [root] DEBUG: 3412: DLL loaded at 0x74CF0000: C:\\Windows\\SYSTEM32\\kernel.appcore (0xf000 bytes).\n2026-06-28 14:56:15,249 [root] DEBUG: 3412: DLL loaded at 0x769D0000: C:\\Windows\\System32\\bcryptPrimitives (0x5f000 bytes).\n2026-06-28 14:56:15,301 [root] DEBUG: 3412: DLL loaded at 0x73A20000: C:\\Windows\\SYSTEM32\\KBDUS (0x6000 bytes).\n2026-06-28 14:56:15,317 [root] DEBUG: 3412: ProtectionHandler: Adding region at 0x746CD000 to tracked regions.\n2026-06-28 14:56:15,318 [root] DEBUG: 3412: ProtectionHandler: Processing previous tracked region at: 0x74CF0000.\n2026-06-28 14:56:15,319 [root] DEBUG: 3412: ProcessTrackedRegion: Updated entropy for tracked region at 0x74CF0000: 4.536475e+00 (from 4.536486e+00)\n2026-06-28 14:56:15,323 [root] DEBUG: 3412: ProcessTrackedRegion: Region at 0x74CF0000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\kernel.appcore.dll is in known range, skipping\n2026-06-28 14:56:15,325 [root] DEBUG: 3412: DLL loaded at 0x746B0000: C:\\Windows\\SYSTEM32\\Wldp (0x24000 bytes).\n2026-06-28 14:56:15,326 [root] DEBUG: 3412: ProtectionHandler: Adding region at 0x74C7B000 to tracked regions.\n2026-06-28 14:56:15,424 [root] DEBUG: 3412: ProtectionHandler: Processing previous tracked region at: 0x746B0000.\n2026-06-28 14:56:15,425 [root] DEBUG: 3412: ProcessTrackedRegion: Updated entropy for tracked region at 0x746B0000: 5.876921e+00 (from 5.876942e+00)\n2026-06-28 14:56:15,426 [root] DEBUG: 3412: ProcessTrackedRegion: Region at 0x746B0000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\wldp.dll is in known range, skipping\n2026-06-28 14:56:15,428 [root] DEBUG: 3412: DLL loaded at 0x746E0000: C:\\Windows\\SYSTEM32\\windows.storage (0x608000 bytes).\n2026-06-28 14:56:15,583 [root] DEBUG: 3412: DLL loaded at 0x73A10000: C:\\Windows\\SYSTEM32\\profapi (0x18000 bytes).\n2026-06-28 14:56:15,745 [root] DEBUG: 3412: DLL loaded at 0x73800000: C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\\Comctl32 (0x210000 bytes).\n2026-06-28 14:56:15,754 [root] DEBUG: 3412: InstrumentationCallback: Added region at 0x751524AC (base 0x75130000) to tracked regions list (thread 3636).\n2026-06-28 14:56:15,755 [root] DEBUG: 3412: ProcessTrackedRegion: Region at 0x75130000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-06-28 14:56:15,761 [root] DEBUG: 3412: ProtectionHandler: Adding region at 0x769A3000 to tracked regions.\n2026-06-28 14:56:15,775 [root] DEBUG: 3412: ProtectionHandler: Processing previous tracked region at: 0x746E0000.\n2026-06-28 14:56:15,781 [root] DEBUG: 3412: ProcessTrackedRegion: Updated entropy for tracked region at 0x746E0000: 6.748780e+00 (from 6.747990e+00)\n2026-06-28 14:56:15,782 [root] DEBUG: 3412: ProcessTrackedRegion: Region at 0x746E0000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\windows.storage.dll is in known range, skipping\n2026-06-28 14:56:15,783 [root] DEBUG: 3412: DLL loaded at 0x768E0000: C:\\Windows\\System32\\MSCTF (0xd3000 bytes).\n2026-06-28 14:56:15,822 [root] DEBUG: 3412: DLL loaded at 0x73760000: C:\\Windows\\SYSTEM32\\TextShaping (0x94000 bytes).\n2026-06-28 14:56:15,861 [root] DEBUG: 3412: ProtectionHandler: Adding region at 0x733E6000 to tracked regions.\n2026-06-28 14:56:15,877 [root] DEBUG: 3412: ProtectionHandler: Processing previous tracked region at: 0x768E0000.\n2026-06-28 14:56:15,879 [root] DEBUG: 3412: ProcessTrackedRegion: Updated entropy for tracked region at 0x768E0000: 6.698540e+00 (from 6.696684e+00)\n2026-06-28 14:56:15,880 [root] DEBUG: 3412: ProcessTrackedRegion: Region at 0x768E0000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\msctf.dll is in known range, skipping\n2026-06-28 14:56:15,882 [root] DEBUG: 3412: DLL loaded at 0x73380000: C:\\Windows\\System32\\CoreMessaging (0x9b000 bytes).\n2026-06-28 14:56:15,884 [root] DEBUG: 3412: ProtectionHandler: Adding region at 0x73360000 to tracked regions.\n2026-06-28 14:56:15,896 [root] DEBUG: 3412: ProtectionHandler: Processing previous tracked region at: 0x73380000.\n2026-06-28 14:56:15,897 [root] DEBUG: 3412: ProcessTrackedRegion: Updated entropy for tracked region at 0x73380000: 6.428922e+00 (from 6.428927e+00)\n2026-06-28 14:56:15,898 [root] DEBUG: 3412: ProcessTrackedRegion: Region at 0x73380000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\CoreMessaging.dll is in known range, skipping\n2026-06-28 14:56:15,899 [root] DEBUG: 3412: DLL loaded at 0x732A0000: C:\\Windows\\SYSTEM32\\wintypes (0xdb000 bytes).\n2026-06-28 14:56:15,902 [root] DEBUG: 3412: ProtectionHandler: Adding region at 0x7358D000 to tracked regions.\n2026-06-28 14:56:15,975 [root] DEBUG: 3412: ProtectionHandler: Processing previous tracked region at: 0x732A0000.\n2026-06-28 14:56:15,978 [root] DEBUG: 3412: ProcessTrackedRegion: Updated entropy for tracked region at 0x732A0000: 6.564400e+00 (from 6.564401e+00)\n2026-06-28 14:56:15,979 [root] DEBUG: 3412: ProcessTrackedRegion: Region at 0x732A0000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\WinTypes.dll is in known range, skipping\n2026-06-28 14:56:15,980 [root] DEBUG: 3412: DLL loaded at 0x73420000: C:\\Windows\\System32\\CoreUIComponents (0x27e000 bytes).\n2026-06-28 14:56:15,983 [root] DEBUG: 3412: DLL loaded at 0x736A0000: C:\\Windows\\SYSTEM32\\textinputframework (0xb9000 bytes).\n2026-06-28 14:56:17,640 [modules.auxiliary.human] INFO: Found button \"ok\", clicking it\n2026-06-29 03:09:16,002 [root] DEBUG: 3412: NtTerminateProcess hook: Attempting to dump process 3412\n2026-06-29 03:09:16,004 [root] DEBUG: 3412: DoProcessDump: Skipping process dump as code is identical on disk.\n2026-06-29 03:09:16,012 [root] DEBUG: 3412: ProcessTrackedRegion: Updated entropy for tracked region at 0x73420000: 6.290003e+00 (from 6.289482e+00)\n2026-06-29 03:09:16,016 [root] DEBUG: 3412: ProcessTrackedRegion: Region at 0x73420000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\CoreUIComponents.dll is in known range, skipping\n2026-06-29 03:09:16,026 [root] INFO: Process with pid 3412 has terminated\n2026-06-29 03:09:21,408 [root] INFO: Process list is empty, terminating analysis\n2026-06-29 03:09:22,430 [root] INFO: Created shutdown mutex\n2026-06-29 03:09:23,439 [root] INFO: Shutting down package\n2026-06-29 03:09:23,440 [root] INFO: Stopping auxiliary modules\n2026-06-29 03:09:23,442 [root] INFO: Stopping auxiliary module: Browser\n2026-06-29 03:09:23,442 [root] INFO: Stopping auxiliary module: Human\n2026-06-29 03:09:26,846 [root] INFO: Stopping auxiliary module: Screenshots\n2026-06-29 03:09:26,848 [root] INFO: Finishing auxiliary modules\n2026-06-29 03:09:26,848 [root] INFO: Shutting down pipe server and dumping dropped files\n2026-06-29 03:09:26,848 [root] WARNING: Folder at path \"C:\\cUJPOo\\debugger\" does not exist, skipping\n2026-06-29 03:09:26,848 [root] WARNING: Folder at path \"C:\\cUJPOo\\tlsdump\" does not exist, skipping\n2026-06-29 03:09:26,849 [root] INFO: Analysis completed\n", "errors": [] }, "network": { "pcap_sha256": "042a71e730c2dd1644bff1008c1835752990434960dc64029cb2b6f6d87e6e34", "hosts": [ { "ip": "173.194.76.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "40.126.31.131", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "108.177.15.139", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "108.177.15.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.206.84", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "66.102.1.138", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.206.138", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.133.95", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.150.119", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.168.139", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.168.100", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.206.101", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.71.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.16.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] } ], "domains": [], "tcp": [ { "src": "192.168.122.139", "sport": 49696, "dst": "142.251.16.94", "dport": 443, "offset": 24, "time": 0.0 }, { "src": "192.168.122.139", "sport": 49697, "dst": "74.125.71.94", "dport": 443, "offset": 95, "time": 0.03144216537475586 }, { "src": "192.168.122.139", "sport": 49698, "dst": "74.125.206.101", "dport": 443, "offset": 306, "time": 1.6146609783172607 }, { "src": "192.168.122.139", "sport": 49681, "dst": "142.251.168.100", "dport": 443, "offset": 447, "time": 4.8418660163879395 }, { "src": "192.168.122.139", "sport": 49754, "dst": "142.251.168.139", "dport": 443, "offset": 1118, "time": 4.87359619140625 }, { "src": "192.168.122.139", "sport": 49755, "dst": "142.251.16.94", "dport": 443, "offset": 10605, "time": 5.035469055175781 }, { "src": "192.168.122.139", "sport": 49679, "dst": "142.251.150.119", "dport": 443, "offset": 15370, "time": 7.062117099761963 }, { "src": "192.168.122.139", "sport": 49686, "dst": "74.125.133.95", "dport": 443, "offset": 15723, "time": 9.468208074569702 }, { "src": "192.168.122.139", "sport": 49687, "dst": "74.125.206.138", "dport": 443, "offset": 15864, "time": 9.753698110580444 }, { "src": "192.168.122.139", "sport": 49682, "dst": "66.102.1.138", "dport": 443, "offset": 16005, "time": 10.152048110961914 }, { "src": "192.168.122.139", "sport": 49680, "dst": "74.125.206.84", "dport": 443, "offset": 16146, "time": 17.05793309211731 }, { "src": "192.168.122.139", "sport": 49683, "dst": "108.177.15.94", "dport": 443, "offset": 16287, "time": 18.667245149612427 }, { "src": "192.168.122.139", "sport": 49688, "dst": "108.177.15.139", "dport": 443, "offset": 16640, "time": 22.143227100372314 }, { "src": "192.168.122.139", "sport": 49758, "dst": "40.126.31.131", "dport": 443, "offset": 17085, "time": 22.27342700958252 }, { "src": "192.168.122.139", "sport": 49693, "dst": "173.194.76.94", "dport": 443, "offset": 40159, "time": 27.12007713317871 }, { "src": "192.168.122.139", "sport": 49695, "dst": "108.177.15.139", "dport": 443, "offset": 132178, "time": 30.895298957824707 } ], "udp": [ { "src": "192.168.122.139", "sport": 5353, "dst": "224.0.0.251", "dport": 5353, "offset": 8657, "time": 4.915436029434204 }, { "src": "192.168.122.139", "sport": 60180, "dst": "224.0.0.252", "dport": 5355, "offset": 8914, "time": 4.917663097381592 }, { "src": "192.168.122.139", "sport": 65239, "dst": "192.168.122.1", "dport": 53, "offset": 15134, "time": 5.747178077697754 }, { "src": "192.168.122.139", "sport": 63147, "dst": "192.168.122.1", "dport": 53, "offset": 40300, "time": 27.669474124908447 }, { "src": "192.168.122.139", "sport": 60076, "dst": "224.0.0.252", "dport": 5355, "offset": 40489, "time": 27.67348599433899 }, { "src": "192.168.122.139", "sport": 60077, "dst": "239.255.255.250", "dport": 1900, "offset": 131946, "time": 30.728105068206787 }, { "src": "192.168.122.139", "sport": 49745, "dst": "192.168.122.1", "dport": 53, "offset": 132853, "time": 33.58368706703186 } ], "icmp": [], "http": [], "dns": [], "smtp": [], "irc": [], "dead_hosts": [] }, "url_analysis": {}, "procmemory": [], "signatures": [ { "name": "stealth_network", "description": "Network activity detected but not expressed in monitor API logs", "categories": [ "stealth" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "ip": "173.194.76.94" }, { "ip": "40.126.31.131" }, { "ip": "108.177.15.139" }, { "ip": "108.177.15.94" }, { "ip": "74.125.206.84" }, { "ip": "66.102.1.138" }, { "ip": "74.125.206.138" }, { "ip": "74.125.133.95" }, { "ip": "142.251.150.119" }, { "ip": "142.251.168.139" }, { "ip": "142.251.168.100" }, { "ip": "74.125.206.101" }, { "ip": "74.125.71.94" }, { "ip": "142.251.16.94" } ], "new_data": [], "alert": false, "families": [] }, { "name": "exploit_heapspray", "description": "A possible heap spray exploit has been detected", "categories": [ "exploit" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "type": "call", "pid": 3412, "cid": 19 }, { "type": "call", "pid": 3412, "cid": 20 }, { "type": "call", "pid": 3412, "cid": 28 }, { "type": "call", "pid": 3412, "cid": 87 }, { "type": "call", "pid": 3412, "cid": 172 }, { "type": "call", "pid": 3412, "cid": 173 }, { "type": "call", "pid": 3412, "cid": 174 }, { "type": "call", "pid": 3412, "cid": 218 }, { "type": "call", "pid": 3412, "cid": 243 }, { "type": "call", "pid": 3412, "cid": 244 }, { "type": "call", "pid": 3412, "cid": 245 }, { "type": "call", "pid": 3412, "cid": 246 }, { "type": "call", "pid": 3412, "cid": 327 }, { "type": "call", "pid": 3412, "cid": 328 }, { "type": "call", "pid": 3412, "cid": 329 }, { "type": "call", "pid": 3412, "cid": 333 }, { "type": "call", "pid": 3412, "cid": 334 }, { "type": "call", "pid": 3412, "cid": 335 }, { "type": "call", "pid": 3412, "cid": 336 }, { "type": "call", "pid": 3412, "cid": 355 }, { "type": "call", "pid": 3412, "cid": 376 }, { "type": "call", "pid": 3412, "cid": 388 }, { "type": "call", "pid": 3412, "cid": 495 }, { "type": "call", "pid": 3412, "cid": 496 }, { "type": "call", "pid": 3412, "cid": 552 }, { "type": "call", "pid": 3412, "cid": 579 }, { "type": "call", "pid": 3412, "cid": 737 }, { "type": "call", "pid": 3412, "cid": 909 }, { "type": "call", "pid": 3412, "cid": 1048 }, { "type": "call", "pid": 3412, "cid": 1136 }, { "type": "call", "pid": 3412, "cid": 1231 }, { "type": "call", "pid": 3412, "cid": 1406 }, { "type": "call", "pid": 3412, "cid": 1407 }, { "type": "call", "pid": 3412, "cid": 1571 }, { "type": "call", "pid": 3412, "cid": 1683 }, { "type": "call", "pid": 3412, "cid": 1755 }, { "type": "call", "pid": 3412, "cid": 1757 }, { "type": "call", "pid": 3412, "cid": 1759 }, { "type": "call", "pid": 3412, "cid": 1761 }, { "type": "call", "pid": 3412, "cid": 1809 }, { "type": "call", "pid": 3412, "cid": 1817 }, { "type": "call", "pid": 3412, "cid": 1819 }, { "type": "call", "pid": 3412, "cid": 1822 }, { "type": "call", "pid": 3412, "cid": 1826 }, { "type": "call", "pid": 3412, "cid": 1830 }, { "type": "call", "pid": 3412, "cid": 1831 }, { "type": "call", "pid": 3412, "cid": 1832 }, { "type": "call", "pid": 3412, "cid": 1833 }, { "type": "call", "pid": 3412, "cid": 1834 }, { "type": "call", "pid": 3412, "cid": 1835 }, { "type": "call", "pid": 3412, "cid": 1836 }, { "type": "call", "pid": 3412, "cid": 1837 }, { "type": "call", "pid": 3412, "cid": 1838 }, { "type": "call", "pid": 3412, "cid": 1839 }, { "type": "call", "pid": 3412, "cid": 1864 }, { "type": "call", "pid": 3412, "cid": 1865 }, { "type": "call", "pid": 3412, "cid": 1918 }, { "type": "call", "pid": 3412, "cid": 1919 }, { "type": "call", "pid": 3412, "cid": 1920 }, { "type": "call", "pid": 3412, "cid": 1924 }, { "type": "call", "pid": 3412, "cid": 1925 }, { "type": "call", "pid": 3412, "cid": 1973 }, { "type": "call", "pid": 3412, "cid": 2059 }, { "type": "call", "pid": 3412, "cid": 2060 }, { "type": "call", "pid": 3412, "cid": 2138 }, { "type": "call", "pid": 3412, "cid": 2139 }, { "type": "call", "pid": 3412, "cid": 2143 }, { "type": "call", "pid": 3412, "cid": 2144 }, { "type": "call", "pid": 3412, "cid": 2146 }, { "type": "call", "pid": 3412, "cid": 2177 }, { "type": "call", "pid": 3412, "cid": 2181 }, { "type": "call", "pid": 3412, "cid": 2318 }, { "type": "call", "pid": 3412, "cid": 2319 }, { "type": "call", "pid": 3412, "cid": 2320 }, { "type": "call", "pid": 3412, "cid": 2322 }, { "type": "call", "pid": 3412, "cid": 2345 }, { "type": "call", "pid": 3412, "cid": 2349 }, { "type": "call", "pid": 3412, "cid": 2401 }, { "type": "call", "pid": 3412, "cid": 2483 }, { "type": "call", "pid": 3412, "cid": 2620 }, { "type": "call", "pid": 3412, "cid": 2650 } ], "new_data": [], "alert": false, "families": [] }, { "name": "queries_keyboard_layout", "description": "Queries the keyboard layout", "categories": [ "location_discovery" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 3412, "cid": 1772 }, { "type": "call", "pid": 3412, "cid": 1791 }, { "type": "call", "pid": 3412, "cid": 2002 }, { "type": "call", "pid": 3412, "cid": 2026 }, { "type": "call", "pid": 3412, "cid": 2061 }, { "type": "call", "pid": 3412, "cid": 2154 }, { "type": "call", "pid": 3412, "cid": 2339 }, { "type": "call", "pid": 3412, "cid": 2343 }, { "type": "call", "pid": 3412, "cid": 2447 }, { "type": "call", "pid": 3412, "cid": 2449 } ], "new_data": [], "alert": false, "families": [] }, { "name": "queries_locale_api", "description": "Queries the computer locale (possible geofencing)", "categories": [ "location_discovery", "geofence" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 3412, "cid": 1863 }, { "type": "call", "pid": 3412, "cid": 1944 }, { "type": "call", "pid": 3412, "cid": 2159 }, { "type": "call", "pid": 3412, "cid": 2327 }, { "type": "call", "pid": 3412, "cid": 2340 }, { "type": "call", "pid": 3412, "cid": 2342 } ], "new_data": [], "alert": false, "families": [] }, { "name": "antidebug_setunhandledexceptionfilter", "description": "SetUnhandledExceptionFilter detected (possible anti-debug)", "categories": [ "anti-debug" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "type": "call", "pid": 3412, "cid": 21 } ], "new_data": [], "alert": false, "families": [] }, { "name": "query_fips_reconnaissance", "description": "Queried the FIPS cryptography policy, can be used to adapt C2 network encryption or by legitimate encryption software", "categories": [ "discovery", "c2" ], "severity": 2, "weight": 1, "confidence": 50, "references": [], "data": [ { "type": "call", "pid": 3412, "cid": 126 }, { "type": "call", "pid": 3412, "cid": 127 }, { "type": "call", "pid": 3412, "cid": 130 }, { "type": "call", "pid": 3412, "cid": 132 }, { "type": "call", "pid": 3412, "cid": 133 }, { "behavioral_fips_reconnaissance": [ "AcroRd32.exe (PID: 3412) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "AcroRd32.exe (PID: 3412) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "AcroRd32.exe (PID: 3412) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "AcroRd32.exe (PID: 3412) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "AcroRd32.exe (PID: 3412) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'" ] } ], "new_data": [], "alert": false, "families": [] }, { "name": "hardware_id_profiling", "description": "Queries the Volume Serial Number or Physical Hardware ID, possibly for anti-sandbox, victim profiling or environmental keying", "categories": [ "evasion", "recon", "anti-sandbox" ], "severity": 3, "weight": 1, "confidence": 80, "references": [], "data": [ { "type": "call", "pid": 3412, "cid": 252 }, { "type": "call", "pid": 3412, "cid": 340 } ], "new_data": [], "alert": false, "families": [] }, { "name": "binary_yara", "description": "Binary file triggered YARA rule", "categories": [ "static" ], "severity": 3, "weight": 1, "confidence": 80, "references": [], "data": [ { "Binary triggered YARA rule": "multiple_versions" } ], "new_data": [], "alert": false, "families": [] }, { "name": "folder_enumeration", "description": "Systematically searches multiple user directories using wildcards, common in ransomware/wipers/infostealers", "categories": [ "ransomware", "wiper", "infostealer", "discovery" ], "severity": 3, "weight": 1, "confidence": 70, "references": [], "data": [ { "target_folder": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Linguistics\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\IMJP*\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\11.0\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\acrord32_sbx\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\LogTransport2\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Headlights\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Outlook\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Adobe\\Acrobat\\11.0\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Acrobat\\11.0\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Local\\Adobe\\Color\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Speech\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\IME*\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\Privileged\\11.0\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\8.0\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft\\IME*\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\IMJP*\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Windows\\INetCache\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\Outlook\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\LocalLow\\Microsoft\\IMJP*\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\IME*\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Roaming\\Adobe\\Linguistics\\*" }, { "target_folder": "C:\\Users\\Rajesh\\Documents\\ArcotIDs\\*" }, { "target_folder": "C:\\Users\\Rajesh\\AppData\\Roaming\\Arcot\\Ids\\*" } ], "new_data": [], "alert": false, "families": [] } ], "malscore": 7.0, "ttps": [ { "signature": "hardware_id_profiling", "ttps": [ "T1082" ], "mbcs": [ "E1082", "E1480.001" ] }, { "signature": "query_fips_reconnaissance", "ttps": [ "T1082" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "exploit_heapspray", "ttps": [ "T1203" ], "mbcs": [ "OB0009", "E1203", "OC0002", "C0006" ] }, { "signature": "folder_enumeration", "ttps": [ "T1083" ], "mbcs": [ "OC0006", "C0002" ] } ], "malstatus": null }